Answers For Rhce

2
To know if Firewalld is running, type

# systemctl status firewalld
or alternatively:
# firewall-cmd --state
running
To check the active and default zone

# firewall-cmd --get-active-zones
1. Configure selinux.
Configure your systems that should be running in Enforcing.
[root@server3 Desktop]# vim /etc/sysconfig/selinux

[root@server3 Desktop]# head /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected
processes are protected.
• Modify SELINUX TO enforcing if any other value is set.
[root@server3 Desktop]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
[root@server3 Desktop]# reboot after this reboot your

machine once ^C
[root@server3 Desktop]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
2.Configure repository.
Create a Repository for your virtual machines. The URI is
http://content.example.com/rhel7.0/x86_64/dvd
[root@server3 Desktop]# cd /etc/yum.repos.d/
[root@server3 yum.repos.d]# vim newfile.repo
[root@server3 yum.repos.d]# cat newfile.repo
[client1]
name = "This repo is for rhce exam purpose"
baseurl =
http://sdtation.network0.example.com/content/rhel7.0/x86_64/dvd
gpgcheck = 0
enabled = 1
[root@server3 yum.repos.d]#
[root@server3 yum.repos.d]# yum clean all
[root@server3 yum.repos.d]# yum repolist

Loaded plugins: langpacks
rhel_dvd | 4.1 kB
00:00
(1/2): rhel_dvd/group_gz | 134 kB
00:00
(2/2): rhel_dvd/primary_db | 3.4 MB
00:00
repo id repo name
status
rhel_dvd Remote classroom copy of dvd
4,305
repolist: 4,305
.SSH configuration.
- Configure SSH access on your virtual hosts as follows.
- Clients within my22ilt.org (172.24.X.0/24, X is the foundation
machine no.) should NOT have access to ssh on your systems
[root@server3 yum.repos.d]# rpm -qa openssh*

openssh-6.4p1-8.el7.x86_64
openssh-server-6.4p1-8.el7.x86_64
openssh-clients-6.4p1-8.el7.x86_64
[root@server3 yum.repos.d]# systemctl status sshd.service

sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
Active: active (running) since Mon 2015-06-08 04:42:58 IST; 14min
ago.
[root@server3 yum.repos.d]# firewall-cmd --permanent --add-rich-

rule 'rule family=ipv4 source address=172.25.10.0/24 service
name=ssh reject'
success
# here i considered my22ilt.org domain network address as
172.25.10.0/24. In exam they will give you a network address of
all domains required to exam in the begining itself..
[root@server3 yum.repos.d]# firewall-cmd --reload

success
[root@server3 yum.repos.d]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" forward-port port="80" protocol="tcp" to-
port="5243"
rule family="ipv4" source address="172.25.10.0/24" service
name="ssh" reject
vim /etc/hosts.deny
sshd:172.25.2.0/24 or shhd:my133t.org
:wq
systemctl enable sshd

firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload
4. Configure port forwarding.

Configure both systems to forward traffic incoming on port 80/tcp
from 172.25.0.0/24 network to port on 5243/tcp.
Check if firewall is installed.
[root@server3 yum.repos.d]# rpm -qa firewall*

firewalld-0.3.9-7.el7.noarch
firewall-config-0.3.9-7.el7.noarch
[root@server3 yum.repos.d]# systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service;
enabled)
Active: active (running) since Mon 2015-06-08 04:42:53 IST;
8min ago
[root@server3 yum.repos.d]# firewall-cmd --permanent --add-rich-

rule 'rule family=ipv4 source address=172.35.0.0/24 forward-port
port=80 protocol=tcp to-port=5243'
success
[root@server3 yum.repos.d]# firewall-cmd --reload

success
[root@server3 yum.repos.d]# firewall-cmd --list-all
interfaces: eth0
sources:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
port="5243"
[root@server3 yum.repos.d]# ssh desktop3

The authenticity of host 'desktop3 (172.25.3.10)' can't be
established.
ECDSA key fingerprint is
eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'desktop3,172.25.3.10' (ECDSA) to the
list of known hosts.
root@desktop3's password:
[root@desktop3 ~]# firewall-cmd --permanent --add-rich-rule 'rule
family=ipv4 forward-port port=80 protocol=tcp to-port=5243'
success
[root@desktop3 ~]# firewall-cmd --reload
success
[root@desktop3 ~]# firewall-cmd --list-all
interfaces: eth0
sources:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
port="5243"
[root@desktop3 ~]# logout
Connection to desktop3 closed.
Just check how ot cross verify if its working
ssh server2.example.com -P 5243 execute this on desktop ,

verify at desktop
=================================================================
====================================================
5.
* Simple Command.
- Create a command called qstat on both systems.
- It should able to execute the following command
(ps -eo
pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm)
- The command shoud be executable by all users.
[root@server3 yum.repos.d]# cd /usr/bin/

[root@server3 bin]# vim qstat
[root@server3 bin]# cat qstat
ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm
[root@server3 bin]# chmod +x qstat
[root@server3 bin]#
[root@server3 bin]# qstat
PID TID CLS RTPRIO NI PRI PSR %CPU STAT WCHAN
COMMAND
1 1 TS - 0 19 0 0.4 Ss ep_poll
systemd
2 2 TS - 0 19 0 0.0 S kthreadd
kthread
3 3 TS - 0 19 0 0.0 S smpboot_thread
ksoftir
5 5 TS - -20 39 0 0.0 S< worker_thread
kworker
6 6 TS - 0 19 0 0.0 S worker_thread
kworker
7 7 FF 99 - 139 0 0.0 S smpboot_thread
migrati
8 8 TS - 0 19 0 0.0 S rcu_gp_kthread
rcu_bh
9 9 TS - 0 19 0 0.0 S rcu_nocb_kthre
rcuob/0
10 10 TS - 0 19 0 0.0 S rcu_gp_kthread
rcu_sch
11 11 TS - 0 19 0 0.0 R -
rcuos/0
12 12 FF 99 - 139 0 0.0 S smpboot_thread
watchdo
13 13 TS - -20 39 0 0.0 S< rescuer_thread
khelper
14 14 TS - 0 19 0 0.0 S devtmpfsd
kdevtmp
15 15 TS - -20 39 0 0.0 S< rescuer_thread netns
writeba
kintegr
bioset
kblockd
20 20 TS - 0 19 0 0.0 S hub_thread khubd
21 21 TS - -20 39 0 0.0 S< rescuer_thread md
24 24 TS - 0 19 0 0.0 S kswapd
kswapd0
25 25 TS - 5 14 0 0.0 SN ksm_scan_threa ksmd
26 26 TS - 19 0 0 0.0 SN khugepaged
khugepa
27 27 TS - 0 19 0 0.0 S fsnotify_mark_
fsnotif
crypto
kthrotl
kworker
kmpath_
kpsmous
deferwq
93 93 TS - 0 19 0 0.0 S kauditd_thread
kauditd
rpciod
ata_sff
226 226 TS - 0 19 0 0.0 S scsi_error_han
scsi_eh
scsi_tm
228 228 TS - 0 19 0 0.0 S scsi_error_han
scsi_eh
scsi_tm
xfsallo
xfs_mru
xfslogd
253 253 TS - -20 39 0 0.0 S< rescuer_thread xfs-
dat
con
cil
256 256 TS - -20 39 0 0.0 S< worker_thread
kworker
257 257 TS - 0 19 0 0.0 S xfsaild
xfsaild
370 370 TS - 0 19 0 0.0 Ss ep_poll
systemd
373 373 TS - 0 19 0 0.0 Ss poll_schedule_
lvmetad
389 389 TS - 0 19 0 0.0 Ss ep_poll
systemd
417 417 TS - 0 19 0 0.0 S balloon
vballoo
441 441 TS - -4 23 0 0.0 S<sl ep_poll
auditd
448 448 TS - -8 27 0 0.0 S<sl futex_wait_que
audispd
455 455 TS - -4 23 0 0.0 S< unix_stream_re
sedispa
ttm_swa
qxl_gc
471 471 TS - 19 0 0 0.0 SNs poll_schedule_
alsactl
473 473 TS - 0 19 0 0.3 Ssl poll_schedule_
firewal
avahi-d
480 480 TS - 0 19 0 0.0 Ssl poll_schedule_ tuned
rsyslog
484 484 TS - 0 19 0 0.0 S unix_stream_re
avahi-d
491 491 TS - 0 19 0 0.0 Ss poll_schedule_ abrtd
492 492 TS - 0 19 0 0.0 Ss inotify_read abrt-
wa
496 496 TS - 0 19 0 0.0 S poll_schedule_
chronyd
501 501 TS - 0 19 0 0.0 Ss poll_schedule_ lsmd
ModemMa
514 514 TS - 0 19 0 0.0 Ss hrtimer_nanosl
smartd
517 517 TS - 0 19 0 0.0 Ss skb_recv_datag
iprupda
519 519 TS - 0 19 0 0.0 Ss ep_poll
systemd
account
529 529 TS - 1 18 0 0.0 SNsl poll_schedule_
rtkit-d
532 532 TS - 0 19 0 0.0 Ssl ep_poll dbus-
da
548 548 TS - 0 19 0 0.0 Ss hrtimer_nanosl crond
550 550 TS - 0 19 0 0.0 Ss hrtimer_nanosl atd
551 551 TS - 0 19 0 0.0 Ssl poll_schedule_ gdm
iprinit
561 561 TS - 0 19 0 0.0 S wait
ksmtune
568 568 TS - 0 19 0 0.0 Sl poll_schedule_ gdm-
sim
polkitd
583 583 TS - 0 19 0 5.3 Rs+ - Xorg
iprdump
Network
upowerd
libvirt
rpcbind
1138 1138 TS - 0 19 0 0.0 Ss poll_schedule_ sshd
rpc.sta
colord
1430 1430 TS - 0 19 0 0.0 Ss ep_poll
master
1436 1436 TS - 0 19 0 0.0 S ep_poll
pickup
1437 1437 TS - 0 19 0 0.0 S ep_poll qmgr
dhclien
1562 1562 TS - 0 19 0 0.0 Ss+ n_tty_read
agetty
1623 1623 TS - 0 19 0 0.0 Sl poll_schedule_ gdm-
ses
1632 1632 TS - 0 19 0 0.0 Sl poll_schedule_
gnome-k
gnome-s
1642 1642 TS - 0 19 0 0.0 S poll_schedule_ dbus-
la
da
1708 1708 TS - 0 19 0 0.0 Sl poll_schedule_ gvfsd
1717 1717 TS - 0 19 0 0.0 Sl futex_wait_que
gvfsd-f
1786 1786 TS - 0 19 0 0.0 Ss poll_schedule_ ssh-
age
dconf-s
1808 1808 TS - 0 19 0 0.0 Sl poll_schedule_ at-
spi-
1812 1812 TS - 0 19 0 0.0 Sl ep_poll dbus-
da
1816 1816 TS - 0 19 0 0.0 Sl poll_schedule_ at-
spi2
gnome-s
1833 1833 TS - -11 30 0 0.0 S<l poll_schedule_
pulseau
bluetoo
1861 1861 TS - 0 19 0 0.0 Sl poll_schedule_ gvfs-
ud
udisksd
af
gp
mt
go
1887 1887 TS - 0 19 0 0.0 Sl poll_schedule_ goa-
dae
gnome-s
1896 1896 TS - 0 19 0 0.0 Ss ep_poll cupsd
1903 1903 TS - 0 19 0 0.0 Sl poll_schedule_ gsd-
pri
1922 1922 TS - 0 19 0 0.0 Sl poll_schedule_ ibus-
da
dc
x1
gnome-s
mission
en
evoluti
nautilu
gconfd-
evoluti
gvfsd-t
evoluti
seapple
tracker
2040 2040 IDL 0 - 0 0 0.0 SNl poll_schedule_
tracker
2049 2049 TS - 0 19 0 0.0 Sl poll_schedule_ rhsm-
ic
2052 2052 TS - 0 19 0 0.0 Sl poll_schedule_ abrt-
ap
gvfsd-m
gnome-t
2274 2274 TS - 0 19 0 0.0 S unix_stream_re
gnome-p
2275 2275 TS - 0 19 0 0.0 Ss wait bash
kworker
kworker
2509 2509 TS - 0 19 0 0.0 Ss+ n_tty_read bash
3074 3074 TS - 0 19 0 0.0 R -
kworker
3125 3125 TS - 0 19 0 0.0 Ss sigsuspend
anacron
package
3650 3650 TS - 0 19 0 0.0 Ss wait bash
3711 3711 TS - 0 19 0 0.0 S wait su
3714 3714 TS - 0 19 0 0.1 S wait bash
3747 3747 TS - 0 19 0 0.0 S poll_schedule_ dbus-
la
da
dconf-s
3773 3773 TS - 0 19 0 0.0 S hrtimer_nanosl sleep
3776 3776 TS - 0 19 0 0.1 S+ poll_schedule_ vim
3788 3788 TS - 0 19 0 0.0 S+ wait bash
3789 3789 TS - 0 19 0 0.0 R+ - ps
[root@server3 bin]#
=================================================================
=================================================================
============
6.
* Configure ipv6 network.
- Configure eth0 with a static ipv6 addresses as
follows.
- Configure a Static IPv6 address in Server as
fddb:fe2a:ab1e::c0a8:64/64.
- Configure a Static IPv6 address in Desktop as
fddb:fe2a:ab1e::c0a8:02/64.
- Ping the local IPv6 gateway
fddb:fe2a:ab1e::c0a8:fe.
[root@server3 bin]# nmcli connection modify "System eth0"

ipv6.addresses "fddb:fe2a:ab1e::c0a8:64/64 fe2a:ab1e::c0a8:fe"
ipv6.method manual
[root@server3 bin]# ssh desktop3

Last login: Mon Jun 8 04:55:54 2015 from server3.example.com
[root@desktop3 ~]# nmcli connection modify "System eth0"
ipv6.addresses "fddb:fe2a:ab1e::c0a8:02/64 fe2a:ab1e::c0a8:fe"
ipv6.method manual
[root@desktop3 ~]#

we configured for eno1 in mock and its working fine
=================================================================
=================================================================
==============
7. revisit
* Link aggregation
- Configure your Server and Desktop which watches for
link changes and selects an
active port for data transfers.
- Server should use the address as
192.168.0.11/255.255.255.0.
- Desktop should use the address as
192.168.0.10/255.255.255.0.
[root@server3 bin]# nmcli connection add con-name team0 type team
ifname team0 config '{"runner": {"name": "activebackup"}}' ip4
192.168.0.10/24
Connection 'team0' (069b918b-c491-4ed7-abbe-02e1e78cb615)
successfully added.
[root@server3 bin]#
[root@server3 bin]# nmcli connection add con-name team0-port1

type team-slave ifname eno1 master team0
Connection 'team0-port1' (862b5b3c-1dfd-452c-95ed-49532d162528)
successfully added.
[root@server3 bin]# nmcli connection add con-name team0-port2
type team-slave ifname eno2 master team0
Connection 'team0-port2' (255a9025-6c8c-41c8-ae44-6ef32e02bbd7)
successfully added.
[root@server3 bin]#
[root@server3 bin]# nmcli connection up team0

Connection successfully activated (D-Bus active path:
/org/freedesktop/NetworkManager/ActiveConnection/6)
[root@server3 bin]# nmcli connection up team0-port1
[root@server3 bin]# nmcli connection up team0-port2
[root@server3 bin]#
ifconfig -a
teamdctl team0 state
-----------------------------------------------------------------
--------------------
8. Revisit
* SMTP Configuration.
- Configure the SMTP mail service on Server and
Desktop which only relay mail from local system through
classroom.example.com, all outgoing mail have
their sender domain as example.com.
Ensure that mail should not store locally.
Take the Backup of main.cf
[root@server3 Desktop]# rpm -qa postfix

postfix-2.10.1-6.el7.x86_64
[root@server3 Desktop]# systemctl status postfix.service
postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service;
enabled)
42min ago
Main PID: 1430 (master)
CGroup: /system.slice/postfix.service
??1430 /usr/libexec/postfix/master -w
??1436 pickup -l -t unix -u
??1437 qmgr -l -t unix -u
Jun 08 04:42:58 localhost systemd[1]: Starting Postfix Mail

Tran...
Jun 08 04:43:02 localhost postfix/master[1430]: daemon started
-...
Jun 08 04:43:02 localhost systemd[1]: Started Postfix Mail
Trans...
Hint: Some lines were ellipsized, use -l to show in full.
[root@server3 Desktop]# postconf "myorigin=example.com"

[root@server3 Desktop]# postconf
"relayhost=[station.network0.example.com]"
[root@server3 Desktop]# postconf "mydestination="
[root@server3 Desktop]# postconf "mynetworks=127.0.0.0/8
[::1]/128"
[root@server3 Desktop]# postconf "local_transport=error: local
delivery disabled" - we need to add
[root@server3 Desktop]# postconf "inet_interface=loopback-only"
[root@server3 Desktop]# cat /etc/postfix/main.cf

# Global Postfix configuration file. This file lists only a
subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5
postconf").
#
# For common configuration examples, see
BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go
to
# http://www.postfix.org/.
#
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.
# SOFT BOUNCE
#
# The soft_bounce parameter provides a limited safety net for
# testing. When soft_bounce is enabled, mail will remain queued
that
# would otherwise bounce. This parameter disables locally-
generated
# bounces, and prevents the SMTP server from rejecting mail
permanently
# (by changing 5xx replies into 4xx replies). However,
soft_bounce
# is no cure for address rewriting mistakes or mail routing
mistakes.
#
#soft_bounce = no
# LOCAL PATHNAME INFORMATION

#
# The queue_directory specifies the location of the Postfix
queue.
# This is also the root directory of Postfix daemons that run
chrooted.
# See the files in examples/chroot-setup for setting up Postfix
chroot
# environments on different UNIX systems.
#
queue_directory = /var/spool/postfix
# The command_directory parameter specifies the location of all

# postXXX commands.
#
command_directory = /usr/sbin
# The daemon_directory parameter specifies the location of all

Postfix
# daemon programs (i.e. programs listed in the master.cf file).
This
# directory must be owned by root.
#
daemon_directory = /usr/libexec/postfix
# The data_directory parameter specifies the location of Postfix-

writable
# data files (caches, random numbers). This directory must be
owned
# by the mail_owner account (see below).
#
data_directory = /var/lib/postfix
# QUEUE AND PROCESS OWNERSHIP

#
# The mail_owner parameter specifies the owner of the Postfix
queue
# and of most Postfix daemon processes. Specify the name of a
user
# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER
ACCOUNTS
# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
# particular, don't specify nobody or daemon. PLEASE USE A
DEDICATED
# USER.
#
mail_owner = postfix
# The default_privs parameter specifies the default rights used

by
# the local delivery agent for delivery to external file or
command.
# These rights are used in the absence of a recipient user
context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
#
#default_privs = nobody
# INTERNET HOST AND DOMAIN NAMES

#
# The myhostname parameter specifies the internet hostname of
this
# mail system. The default is to use the fully-qualified domain
name
# from gethostname(). $myhostname is used as a default value for
many
# other configuration parameters.
#
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
# The mydomain parameter specifies the local internet domain

name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other
configuration
# parameters.
#
#mydomain = domain.tld
# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append
$myhostname,
# which is fine for small sites. If you run a domain with
multiple
# machines, you should (1) change this to $mydomain and (2) set
up
# a domain-wide alias database that aliases each user to
# user@that.users.mailhost.
#
# For the sake of consistency between sender and recipient
addresses,
# myorigin also specifies the default domain name that is
appended
# to recipient addresses that have no @domain part.
#
#myorigin = $myhostname
#myorigin = $mydomain
# RECEIVING MAIL
# The inet_interfaces parameter specifies the network interface

# addresses that this mail system receives mail on. By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses
that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter
changes.
#
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
inet_interfaces = localhost
# Enable IPv4, and IPv6 if supported

inet_protocols = all
# The proxy_interfaces parameter specifies the network interface

# addresses that this mail system receives mail on by way of a
# proxy or network address translation unit. This setting extends
# the address list specified with the inet_interfaces parameter.
#
# You must specify your proxy/NAT addresses when your system is a
# backup MX host for other domains, otherwise mail delivery loops
# will happen when the primary MX host is down.
#
#proxy_interfaces =
#proxy_interfaces = 1.2.3.4
# The mydestination parameter specifies the list of domains that

this
# machine considers itself the final destination for.
#
# These domains are routed to the delivery agent specified with
the
# local_transport parameter setting. By default, that is the UNIX
# compatible delivery agent that lookups all recipients in
/etc/passwd
# and /etc/aliases or their equivalent.
#
# The default is $myhostname + localhost.$mydomain. On a mail
domain
# gateway, you should also include $mydomain.
#
# Do not specify the names of virtual domains - those domains are
# specified elsewhere (see VIRTUAL_README).
#
# Do not specify the names of domains that this machine is backup
MX
# host for. Specify those names via the relay_domains settings
for
# the SMTP server, or use permit_mx_backup if you are lazy (see
# STANDARD_CONFIGURATION_README).
#
# The local machine is always the final destination for mail
addressed
# to user@[the.net.work.address] of an interface that the mail
system
# receives mail on (see the inet_interfaces parameter).
#
# Specify a list of host or domain names, /file/name or
type:table
# patterns, separated by commas and/or whitespace. A /file/name
# pattern is replaced by its contents; a type:table is matched
when
# a name matches a lookup key (the right-hand side is ignored).
# Continue long lines by starting the next line with whitespace.
#
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL
USERS".
#
mydestination =
#mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain
# REJECTING MAIL FOR UNKNOWN LOCAL USERS

#
# The local_recipient_maps parameter specifies optional lookup
tables
# with all names or addresses of users that are local with
respect
# to $mydestination, $inet_interfaces or $proxy_interfaces.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown local users. This parameter is defined by
default.
#
# To turn off local recipient checking in the SMTP server,
specify
# local_recipient_maps = (i.e. empty).
#
# The default setting assumes that you use the default Postfix
local
# delivery agent for local delivery. You need to update the
# local_recipient_maps setting if:
#
# - You define $mydestination domain recipients in files other
than
# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
# For example, you define $mydestination domain recipients in
# the $virtual_mailbox_maps files.
#
# - You redefine the local delivery agent in master.cf.
#
# - You redefine the "local_transport" setting in main.cf.
#
# - You use the "luser_relay", "mailbox_transport", or
"fallback_transport"
# feature of the Postfix local delivery agent (see local(8)).
#
# Details are described in the LOCAL_RECIPIENT_README file.
#
# Beware: if the Postfix SMTP server runs chrooted, you probably
have
# to access the passwd file via the proxymap service, in order to
# overcome chroot restrictions. The alternative, having a copy of
# the system passwd file in the chroot jail is just not
practical.
#
# The right-hand side of the lookup tables is conveniently
ignored.
# In the left-hand side, specify a bare username, an @domain.tld
# wild-card, or specify a user@domain.tld address.
#
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
# The unknown_local_recipient_reject_code specifies the SMTP

server
# response code when a recipient domain matches $mydestination or
# ${proxy,inet}_interfaces, while $local_recipient_maps is non-
empty
# and the recipient address or address local-part is not found.
#
# The default setting is 550 (reject mail) but it is safer to
start
# with 450 (try again later) until you are certain that your
# local_recipient_maps settings are OK.
#
unknown_local_recipient_reject_code = 550
# TRUST AND RELAY CONTROL
# The mynetworks parameter specifies the list of "trusted" SMTP

# clients that have more privileges than "strangers".
#
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix. See the smtpd_recipient_restrictions
parameter
# in postconf(5).
#
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
#
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this does works correctly only with interfaces
specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust"
SMTP
# clients in the same IP class A/B/C networks as the local
machine.
# Don't do this with a dialup site - it would cause Postfix to
"trust"
# your entire provider's network. Instead, specify an explicit
# mynetworks list by hand, as described below.
#
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host
# Alternatively, you can specify the mynetworks list by hand, in

# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file
instead
# of listing the patterns here. Specify type:table for table-
based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
# The relay_domains parameter restricts what destinations this

system will
# relay mail to. See the smtpd_recipient_restrictions
description in
# postconf(5) for detailed information.
#
# By default, Postfix relays mail
# - from "trusted" clients (IP address matches $mynetworks) to
any destination,
# - from "untrusted" clients to destinations that match
$relay_domains or
# subdomains thereof, except addresses with sender-specified
routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default
accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces or
$proxy_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_alias_domains,
# - destinations that match $virtual_mailbox_domains.
# These destinations do not need to be listed in $relay_domains.
#
# Specify a list of hosts or domains, /file/name patterns or
type:name
# lookup tables, separated by commas and/or whitespace. Continue
# long lines by starting the next line with whitespace. A file
name
# is replaced by its contents; a type:name table is matched when
a
# (parent) domain appears as lookup key.
#
# NOTE: Postfix will not automatically forward mail for domains
that
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction description in postconf(5).
#
#relay_domains = $mydestination
# INTERNET OR INTRANET
# The relayhost parameter specifies the default host to send mail

to
# when no entry is matched in the optional transport(5) table.
When
# no relayhost is given, mail is routed directly to the
destination.
#
# On an intranet, specify the organizational domain name. If your
# internal DNS uses no MX records, specify the name of the
intranet
# gateway host instead.
#
# In the case of SMTP, specify a domain, host, host:port,
[host]:port,
# [address] or [address]:port; the form [host] turns off MX
lookups.
#
# If you're connected via UUCP, see also the default_transport
parameter.
#
#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
# REJECTING UNKNOWN RELAY USERS

#
# The relay_recipient_maps parameter specifies optional lookup
tables
# with all addresses in the domains that match $relay_domains.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown relay users. This feature is off by default.
#
# The right-hand side of the lookup tables is conveniently
ignored.
# In the left-hand side, specify an @domain.tld wild-card, or
specify
# a user@domain.tld address.
#
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
# INPUT RATE CONTROL

#
# The in_flow_delay configuration parameter implements mail input
# flow control. This feature is turned on by default, although it
# still needs further development (it's disabled on SCO UNIX due
# to an SCO bug).
#
# A Postfix process will pause for $in_flow_delay seconds before
# accepting a new message, when the message arrival rate exceeds
the
# message delivery rate. With the default 100 SMTP server process
# limit, this limits the mail inflow to 100 messages a second
more
# than the number of messages delivered per second.
#
# Specify 0 to disable the feature. Valid delays are 0..10.
#
#in_flow_delay = 1s
# ADDRESS REWRITING
#
# The ADDRESS_REWRITING_README document gives information about
# address masquerading or other forms of address rewriting
including
# username->Firstname.Lastname mapping.
# ADDRESS REDIRECTION (VIRTUAL DOMAIN)

#
# The VIRTUAL_README document gives information about the many
forms
# of domain hosting that Postfix supports.
# "USER HAS MOVED" BOUNCE MESSAGES

#
# See the discussion in the ADDRESS_REWRITING_README document.
# TRANSPORT MAP
#
# See the discussion in the ADDRESS_REWRITING_README document.
# ALIAS DATABASE
#
# The alias_maps parameter specifies the list of alias databases
used
# by the local delivery agent. The default list is system
dependent.
#
# On systems with NIS, the default is to search the local alias
# database, then the NIS alias database. See aliases(5) for
syntax
# details.
#
# If you change the alias database, run "postalias /etc/aliases"
(or
# wherever your system stores the mail alias file), or simply run
# "newaliases" to build the necessary DBM or DB file.
#
# It will take a minute or so before changes become visible. Use
# "postfix reload" to eliminate the delay.
#
#alias_maps = dbm:/etc/aliases
alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases
# The alias_database parameter specifies the alias database(s)

that
# are built with "newaliases" or "sendmail -bi". This is a
separate
# configuration parameter, because alias_maps (see above) may
specify
# tables that are not necessarily all under control by Postfix.
#
#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
# ADDRESS EXTENSIONS (e.g., user+foo)

#
# The recipient_delimiter parameter specifies the separator
between
# user names and address extensions (user+foo). See canonical(5),
# local(8), relocated(5) and virtual(5) for the effects this has
on
# aliases, canonical, virtual, relocated and .forward file
lookups.
# Basically, the software tries user+foo and .forward+foo before
# trying user and .forward.
#
#recipient_delimiter = +
# DELIVERY TO MAILBOX
#
# The home_mailbox parameter specifies the optional pathname of a
# mailbox file relative to a user's home directory. The default
# mailbox file is /var/spool/mail/user or /var/mail/user.
Specify
# "Maildir/" for qmail-style delivery (the / is required).
#
#home_mailbox = Mailbox
#home_mailbox = Maildir/
# The mail_spool_directory parameter specifies the directory

where
# UNIX-style mailboxes are kept. The default setting depends on
the
# system type.
#
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
# The mailbox_command parameter specifies the optional external

# command to use instead of mailbox delivery. The command is run
as
# the recipient with proper HOME, SHELL and LOGNAME environment
settings.
# Exception: delivery for root is done as $default_user.
#
# Other environment variables of interest: USER (recipient
username),
# EXTENSION (address extension), DOMAIN (domain part of address),
# and LOCAL (the address localpart).
#
# Unlike other Postfix configuration parameters, the
mailbox_command
# parameter is not subjected to $parameter substitutions. This is
to
# make it easier to specify shell syntax (see example below).
#
# Avoid shell meta characters because they will force Postfix to
run
# an expensive shell process. Procmail alone is expensive enough.
#
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#
#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"
# The mailbox_transport specifies the optional transport in

master.cf
# to use after processing aliases and .forward files. This
parameter
# has precedence over the mailbox_command, fallback_transport and
# luser_relay parameters.
#
# Specify a string of the form transport:nexthop, where transport
is
# the name of a mail delivery transport defined in master.cf.
The
# :nexthop part is optional. For more details see the sample
transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX
password
# file, then you must update the "local_recipient_maps" setting
in
# the main.cf file, otherwise the SMTP server will reject mail
for
# non-UNIX accounts with "User unknown in local recipient table".
#
# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd"
# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
# If using the cyrus-imapd IMAP server deliver local mail to the

IMAP
# server using LMTP (Local Mail Transport Protocol), this is
prefered
# over the older cyrus deliver program by setting the
# mailbox_transport as below:
#
# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#
# The efficiency of LMTP delivery for cyrus-imapd can be enhanced
via
# these settings.
#
# local_destination_recipient_limit = 300
# local_destination_concurrency_limit = 5
#
# Of course you should adjust these settings as appropriate for
the
# capacity of the hardware you are using. The recipient limit
setting
# can be used to take advantage of the single instance message
store
# capability of Cyrus. The concurrency limit can be used to
control
# how many simultaneous LMTP sessions will be permitted to the
Cyrus
# message store.
#
# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
# subsequent line in master.cf.
#mailbox_transport = cyrus
# The fallback_transport specifies the optional transport in

master.cf
# to use for recipients that are not found in the UNIX passwd
database.
# This parameter has precedence over the luser_relay parameter.
#
# Specify a string of the form transport:nexthop, where transport
is
# the name of a mail delivery transport defined in master.cf.
The
# :nexthop part is optional. For more details see the sample
transport
# configuration file.
#
password
# file, then you must update the "local_recipient_maps" setting
in
for
#
#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =
# The luser_relay parameter specifies an optional destination
address
# for unknown recipients. By default, mail for
unknown@$mydestination,
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is
returned
# as undeliverable.
#
# The following expansions are done on luser_relay: $user
(recipient
# username), $shell (recipient shell), $home (recipient home
directory),
# $recipient (full recipient address), $extension (recipient
address
# extension), $domain (recipient domain), $local (entire
recipient
# localpart), $recipient_delimiter. Specify ${name?value} or
# ${name:value} to expand value only when $name does (does not)
exist.
#
# luser_relay works only for the default Postfix local delivery
agent.
#
password
# file, then you must specify "local_recipient_maps =" (i.e.
empty) in
for
#
#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local
# JUNK MAIL CONTROLS

#
# The controls listed here are only a very small subset. The file
# SMTPD_ACCESS_README provides an overview.
# The header_checks parameter specifies an optional table with

patterns
# that each logical message header is matched against, including
# headers that span multiple physical lines.
#
# By default, these patterns also apply to MIME headers and to
the
# headers of attached messages. With older Postfix versions, MIME
and
# attached message headers were treated as body text.
#
# For details, see "man header_checks".
#
#header_checks = regexp:/etc/postfix/header_checks
# FAST ETRN SERVICE

#
# Postfix maintains per-destination logfiles with information
about
# deferred mail, so that mail can be flushed quickly with the
SMTP
# "ETRN domain.tld" command, or by executing "sendmail
-qRdomain.tld".
# See the ETRN_README document for a detailed description.
#
# The fast_flush_domains parameter controls what destinations are
# eligible for this service. By default, they are all domains
that
# this server is willing to relay mail to.
#
#fast_flush_domains = $relay_domains
# SHOW SOFTWARE VERSION OR NOT

#
# The smtpd_banner parameter specifies the text that follows the
220
# code in the SMTP server's greeting banner. Some people like to
see
# the mail version advertised. By default, Postfix shows no
version.
#
# You MUST specify $myhostname at the start of the text. That is
an
# RFC requirement. Postfix itself does not care.
#
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
# PARALLEL DELIVERY TO THE SAME DESTINATION

#
# How many parallel deliveries to the same user or domain? With
local
# delivery, it does not make sense to do massively parallel
delivery
# to the same user, because mailbox updates must happen
sequentially,
# and expensive pipelines in .forward files can cause disasters
when
# too many are run at the same time. With SMTP deliveries, 10
# simultaneous connections to the same domain could be sufficient
to
# raise eyebrows.
#
# Each message delivery transport has its
XXX_destination_concurrency_limit
# parameter. The default is
$default_destination_concurrency_limit for
# most delivery transports. For the local delivery agent the
default is 2.
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20
# DEBUGGING CONTROL
#
# The debug_peer_level parameter specifies the increment in
verbose
# logging level when an SMTP client or server host name or
address
# matches a pattern in the debug_peer_list parameter.
#
debug_peer_level = 2
# The debug_peer_list parameter specifies an optional list of

domain
# or network patterns, /file/name patterns or type:name tables.
When
# an SMTP client or server host name or address matches a
pattern,
# increase the verbose logging level by the amount specified in
the
# debug_peer_level parameter.
#
#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain
# The debugger_command specifies the external command that is

executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach
before
# the process marches on. If you use an X-based debugger, be sure
to
# set up your XAUTHORITY environment variable before starting
Postfix.
#
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process
ID.
#
# debugger_command =
# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
# echo where) | gdb $daemon_directory/$process_name
$process_id 2>&1
# >$config_directory/$process_name.$process_id.log & sleep 5
#
# Another possibility is to run gdb under a detached screen
session.
# To attach to the screen sesssion, su root and run "screen -r
# <id_string>" where <id_string> uniquely matches one of the
detached
# sessions (from "screen -list").
#
# debugger_command =
# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
# -dmS $process_name gdb $daemon_directory/$process_name
# $process_id & sleep 1
# INSTALL-TIME CONFIGURATION INFORMATION

#
# The following parameters are used when installing a new Postfix
version.
#
# sendmail_path: The full pathname of the Postfix sendmail
command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail.postfix
# newaliases_path: The full pathname of the Postfix newaliases

command.
# This is the Sendmail-compatible command to build alias
databases.
#
newaliases_path = /usr/bin/newaliases.postfix
# mailq_path: The full pathname of the Postfix mailq command.

This
# is the Sendmail-compatible mail queue listing command.
#
mailq_path = /usr/bin/mailq.postfix
# setgid_group: The group for mail submission and queue

management
# commands. This must be a group name with a numerical group ID
that
# is not shared with other accounts, not even with the Postfix
account.
#
setgid_group = postdrop
# html_directory: The location of the Postfix HTML documentation.

#
html_directory = no
# manpage_directory: The location of the Postfix on-line manual

pages.
#
manpage_directory = /usr/share/man
# sample_directory: The location of the Postfix sample

configuration files.
# This parameter is obsolete as of Postfix 2.1.
#
sample_directory = /usr/share/doc/postfix-2.10.1/samples
# readme_directory: The location of the Postfix README files.

#
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
myorigin = example.com
relayhost = [station.network0.example.com]
mynetworks = 127.0.0.0/8 [::1]/128
local_transport = error: local delivery disabled
inet_interface = loopback-only
[root@server3 Desktop]#
[root@server3 Desktop]# The Same configuration you have to do in

desktop machine also if they asked
bash: The: command not found...
[root@server3 Desktop]# systemctl restart postfix.service

[root@server3 Desktop]# mail -s "test mail for null client"
natasha@desktop3.example.com
hi
.
EOT
[root@server3 Desktop]# Check weather mail is delivered or not by
giving the url present in the question paper
bash: Check: command not found...
yum install mutt -y

mutt -f imaps://imap2.wxample.com
=================================================================
=================================================================
============
9.
* NFS server.
- Configure Server with the following requirements.
- Share the /common directory with the example.com
(172.25.X.0/24, X is the foundation machine no.) domain clients
only, share must be writable.
- Share the /restricted/protected with the

aforementioned domain, enable krb5p security to secure access to
the NFS share. Kerberos keytab file is
http://classroom.example.com/pub/keytabs/serverX.keytab
The exported directory should have read/write
access from example.com (172.25.X.0/24, X is the foundation
machine no.) domain.
Ensure the directory /restricted/protected should
be owned by the user arora with read/write permission.
[root@server3 Desktop]# rpm -qa nfs-utils

nfs-utils-1.3.0-0.el7.x86_64
[root@server3 Desktop]# systemctl status nfs-server
nfs-server.service - NFS Server
Loaded: loaded (/usr/lib/systemd/system/nfs-server.service;
disabled)
Active: inactive (dead)
[root@server3 Desktop]# systemctl enable nfs-server.service

ln -s '/usr/lib/systemd/system/nfs-server.service'
'/etc/systemd/system/nfs.target.wants/nfs-server.service'
[root@server3 Desktop]# systemctl start nfs-server.service
[root@server3 Desktop]# echo "/common *.example.com(rw,sync)"
>>/etc/exports
[root@server3 Desktop]# cat /etc/exports
/common *.example.com(rw,sync)
[root@server3 Desktop]# exportfs -rv
exporting *.example.com:/common
exportfs: Failed to stat /common: No such file or directory
[root@server3 Desktop]# mkdir /common
[root@server3 Desktop]# chmod 777 /common
[root@server3 Desktop]# firewall-cmd --permanent --add-
service=nfs
success
[root@server3 Desktop]# firewall-cmd --reload
success
service=mountd
success
service=rpc-bind
success
success
[root@server3 Desktop]# echo "/restricted/protected
*.example.com(sec=krb5p,rw,sync)" >>/etc/exports
[root@server3 Desktop]# cat /etc/exports
/common *.example.com(rw,sync)
/restricted/protected *.example.com(sec=krb5p,rw,sync)
[root@server3 Desktop]# Bind your machine with ldap and kerberos
server by using authconfig-gtk
bash: Bind: command not found...
[root@server3 Desktop]# yum install authconfig-gtk sssd krb5-
workstation -y
Resolving Dependencies
--> Running transaction check
---> Package authconfig-gtk.x86_64 0:6.2.8-8.el7 will be
installed
---> Package krb5-workstation.x86_64 0:1.11.3-49.el7 will be
installed
---> Package sssd.x86_64 0:1.11.2-65.el7 will be installed
--> Processing Dependency: python-sssdconfig = 1.11.2-65.el7 for
package: sssd-1.11.2-65.el7.x86_64
--> Processing Dependency: sssd-ad = 1.11.2-65.el7 for package:
sssd-1.11.2-65.el7.x86_64
--> Processing Dependency: sssd-common = 1.11.2-65.el7 for
--> Processing Dependency: sssd-common-pac = 1.11.2-65.el7 for
--> Processing Dependency: sssd-ipa = 1.11.2-65.el7 for package:
sssd-1.11.2-65.el7.x86_64
--> Processing Dependency: sssd-krb5 = 1.11.2-65.el7 for package:
sssd-1.11.2-65.el7.x86_64
--> Processing Dependency: sssd-ldap = 1.11.2-65.el7 for package:
sssd-1.11.2-65.el7.x86_64
--> Processing Dependency: sssd-proxy = 1.11.2-65.el7 for
---> Package python-sssdconfig.noarch 0:1.11.2-65.el7 will be
installed
---> Package sssd-ad.x86_64 0:1.11.2-65.el7 will be installed
--> Processing Dependency: sssd-krb5-common = 1.11.2-65.el7 for
package: sssd-ad-1.11.2-65.el7.x86_64
--> Processing Dependency: libdhash.so.1()(64bit) for package:
sssd-ad-1.11.2-65.el7.x86_64
--> Processing Dependency: libsss_idmap.so.0()(64bit) for
--> Processing Dependency: libsss_krb5_common.so()(64bit) for
---> Package sssd-common.x86_64 0:1.11.2-65.el7 will be installed
--> Processing Dependency: libini_config >= 1.0.0.1 for package:
sssd-common-1.11.2-65.el7.x86_64
--> Processing Dependency: libcares.so.2()(64bit) for package:
--> Processing Dependency: libcollection.so.2()(64bit) for
package: sssd-common-1.11.2-65.el7.x86_64
--> Processing Dependency: libini_config.so.3()(64bit) for
---> Package sssd-common-pac.x86_64 0:1.11.2-65.el7 will be
installed
---> Package sssd-ipa.x86_64 0:1.11.2-65.el7 will be installed
--> Processing Dependency: libipa_hbac(x86-64) = 1.11.2-65.el7
for package: sssd-ipa-1.11.2-65.el7.x86_64
--> Processing Dependency: libipa_hbac.so.0()(64bit) for package:
sssd-ipa-1.11.2-65.el7.x86_64
---> Package sssd-krb5.x86_64 0:1.11.2-65.el7 will be installed
---> Package sssd-ldap.x86_64 0:1.11.2-65.el7 will be installed
---> Package sssd-proxy.x86_64 0:1.11.2-65.el7 will be installed
---> Package c-ares.x86_64 0:1.10.0-3.el7 will be installed
---> Package libcollection.x86_64 0:0.6.2-22.el7 will be
installed
---> Package libdhash.x86_64 0:0.4.3-22.el7 will be installed
---> Package libini_config.x86_64 0:1.0.0.1-22.el7 will be
installed
--> Processing Dependency: libbasicobjects.so.0()(64bit) for
package: libini_config-1.0.0.1-22.el7.x86_64
--> Processing Dependency: libpath_utils.so.1()(64bit) for
--> Processing Dependency: libref_array.so.1()(64bit) for
---> Package libipa_hbac.x86_64 0:1.11.2-65.el7 will be installed
---> Package libsss_idmap.x86_64 0:1.11.2-65.el7 will be
installed
---> Package sssd-krb5-common.x86_64 0:1.11.2-65.el7 will be
installed
--> Processing Dependency: cyrus-sasl-gssapi(x86-64) for package:
sssd-krb5-common-1.11.2-65.el7.x86_64
---> Package cyrus-sasl-gssapi.x86_64 0:2.1.26-17.el7 will be
installed
---> Package libbasicobjects.x86_64 0:0.1.0-22.el7 will be
installed
---> Package libpath_utils.x86_64 0:0.2.1-22.el7 will be
installed
---> Package libref_array.x86_64 0:0.1.3-22.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=================================================================
============
Package Arch Version
Repository Size
=================================================================
============
Installing:
authconfig-gtk x86_64 6.2.8-8.el7 rhel_dvd
105 k
krb5-workstation x86_64 1.11.3-49.el7 rhel_dvd
724 k
sssd x86_64 1.11.2-65.el7 rhel_dvd
65 k
Installing for dependencies:
c-ares x86_64 1.10.0-3.el7 rhel_dvd
78 k
cyrus-sasl-gssapi x86_64 2.1.26-17.el7 rhel_dvd
40 k
libbasicobjects x86_64 0.1.0-22.el7 rhel_dvd
24 k
libcollection x86_64 0.6.2-22.el7 rhel_dvd
39 k
libdhash x86_64 0.4.3-22.el7 rhel_dvd
27 k
libini_config x86_64 1.0.0.1-22.el7 rhel_dvd
49 k
libipa_hbac x86_64 1.11.2-65.el7 rhel_dvd
71 k
libpath_utils x86_64 0.2.1-22.el7 rhel_dvd
27 k
libref_array x86_64 0.1.3-22.el7 rhel_dvd
25 k
libsss_idmap x86_64 1.11.2-65.el7 rhel_dvd
76 k
python-sssdconfig noarch 1.11.2-65.el7 rhel_dvd
96 k
sssd-ad x86_64 1.11.2-65.el7 rhel_dvd
167 k
sssd-common x86_64 1.11.2-65.el7 rhel_dvd
1.2 M
sssd-common-pac x86_64 1.11.2-65.el7 rhel_dvd
120 k
sssd-ipa x86_64 1.11.2-65.el7 rhel_dvd
271 k
sssd-krb5 x86_64 1.11.2-65.el7 rhel_dvd
108 k
sssd-krb5-common x86_64 1.11.2-65.el7 rhel_dvd
201 k
sssd-ldap x86_64 1.11.2-65.el7 rhel_dvd
202 k
sssd-proxy x86_64 1.11.2-65.el7 rhel_dvd
115 k
Transaction Summary
=================================================================
============
Install 3 Packages (+19 Dependent packages)
Total download size: 3.8 M
Installed size: 9.3 M
Downloading packages:
(1/22): authconfig-gtk-6.2.8-8.el7.x86_64.rpm | 105 kB
00:00
(2/22): c-ares-1.10.0-3.el7.x86_64.rpm | 78 kB
00:00
(3/22): cyrus-sasl-gssapi-2.1.26-17.el7.x86_64.rpm | 40 kB
00:00
(4/22): libbasicobjects-0.1.0-22.el7.x86_64.rpm | 24 kB
00:00
(5/22): libcollection-0.6.2-22.el7.x86_64.rpm | 39 kB
00:00
(6/22): krb5-workstation-1.11.3-49.el7.x86_64.rpm | 724 kB
00:00
(7/22): libdhash-0.4.3-22.el7.x86_64.rpm | 27 kB
00:00
(8/22): libini_config-1.0.0.1-22.el7.x86_64.rpm | 49 kB
00:00
(9/22): libpath_utils-0.2.1-22.el7.x86_64.rpm | 27 kB
00:00
(10/22): libref_array-0.1.3-22.el7.x86_64.rpm | 25 kB
00:00
(11/22): libsss_idmap-1.11.2-65.el7.x86_64.rpm | 76 kB
00:00
(12/22): python-sssdconfig-1.11.2-65.el7.noarch.rpm | 96 kB
00:00
(13/22): sssd-1.11.2-65.el7.x86_64.rpm | 65 kB
00:00
(14/22): sssd-ad-1.11.2-65.el7.x86_64.rpm | 167 kB
00:00
(15/22): sssd-common-1.11.2-65.el7.x86_64.rpm | 1.2 MB
00:00
(16/22): sssd-common-pac-1.11.2-65.el7.x86_64.rpm | 120 kB
00:00
(17/22): sssd-ipa-1.11.2-65.el7.x86_64.rpm | 271 kB
00:00
(18/22): libipa_hbac-1.11.2-65.el7.x86_64.rpm | 71 kB
00:00
(19/22): sssd-krb5-1.11.2-65.el7.x86_64.rpm | 108 kB
00:00
(20/22): sssd-krb5-common-1.11.2-65.el7.x86_64.rpm | 201 kB
00:00
(21/22): sssd-proxy-1.11.2-65.el7.x86_64.rpm | 115 kB
00:00
(22/22): sssd-ldap-1.11.2-65.el7.x86_64.rpm | 202 kB
00:00
-----------------------------------------------------------------
------------
Total 2.6 MB/s | 3.8 MB
00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : libdhash-0.4.3-22.el7.x86_64
1/22
Installing : libsss_idmap-1.11.2-65.el7.x86_64
2/22
Installing : libcollection-0.6.2-22.el7.x86_64
3/22
Installing : libpath_utils-0.2.1-22.el7.x86_64
4/22
Installing : libipa_hbac-1.11.2-65.el7.x86_64
5/22
Installing : libbasicobjects-0.1.0-22.el7.x86_64
6/22
Installing : libref_array-0.1.3-22.el7.x86_64
7/22
Installing : libini_config-1.0.0.1-22.el7.x86_64
8/22
Installing : c-ares-1.10.0-3.el7.x86_64
9/22
Installing : sssd-common-1.11.2-65.el7.x86_64
10/22
Installing : sssd-common-pac-1.11.2-65.el7.x86_64
11/22
Installing : sssd-proxy-1.11.2-65.el7.x86_64
12/22
Installing : cyrus-sasl-gssapi-2.1.26-17.el7.x86_64
13/22
Installing : sssd-krb5-common-1.11.2-65.el7.x86_64
14/22
Installing : sssd-ipa-1.11.2-65.el7.x86_64
15/22
Installing : sssd-krb5-1.11.2-65.el7.x86_64
16/22
Installing : sssd-ldap-1.11.2-65.el7.x86_64
17/22
Installing : sssd-ad-1.11.2-65.el7.x86_64
18/22
Installing : python-sssdconfig-1.11.2-65.el7.noarch
19/22
Installing : sssd-1.11.2-65.el7.x86_64
20/22
Installing : authconfig-gtk-6.2.8-8.el7.x86_64
21/22
Installing : krb5-workstation-1.11.3-49.el7.x86_64
22/22
Verifying : libcollection-0.6.2-22.el7.x86_64
1/22
Verifying : krb5-workstation-1.11.3-49.el7.x86_64
2/22
Verifying : python-sssdconfig-1.11.2-65.el7.noarch
3/22
Verifying : sssd-ipa-1.11.2-65.el7.x86_64
4/22
Verifying : cyrus-sasl-gssapi-2.1.26-17.el7.x86_64
5/22
Verifying : libsss_idmap-1.11.2-65.el7.x86_64
6/22
Verifying : sssd-proxy-1.11.2-65.el7.x86_64
7/22
Verifying : sssd-common-1.11.2-65.el7.x86_64
8/22
Verifying : sssd-krb5-common-1.11.2-65.el7.x86_64
9/22
Verifying : authconfig-gtk-6.2.8-8.el7.x86_64
10/22
Verifying : sssd-krb5-1.11.2-65.el7.x86_64
11/22
Verifying : c-ares-1.10.0-3.el7.x86_64
12/22
Verifying : libini_config-1.0.0.1-22.el7.x86_64
13/22
Verifying : libref_array-0.1.3-22.el7.x86_64
14/22
Verifying : libdhash-0.4.3-22.el7.x86_64
15/22
Verifying : sssd-ldap-1.11.2-65.el7.x86_64
16/22
Verifying : sssd-ad-1.11.2-65.el7.x86_64
17/22
Verifying : libbasicobjects-0.1.0-22.el7.x86_64
18/22
Verifying : sssd-common-pac-1.11.2-65.el7.x86_64
19/22
Verifying : libipa_hbac-1.11.2-65.el7.x86_64
20/22
Verifying : sssd-1.11.2-65.el7.x86_64
21/22
Verifying : libpath_utils-0.2.1-22.el7.x86_64
22/22
Installed:
authconfig-gtk.x86_64 0:6.2.8-8.el7
krb5-workstation.x86_64 0:1.11.3-49.el7
sssd.x86_64 0:1.11.2-65.el7
Dependency Installed:
c-ares.x86_64 0:1.10.0-3.el7
cyrus-sasl-gssapi.x86_64 0:2.1.26-17.el7
libbasicobjects.x86_64 0:0.1.0-22.el7
libcollection.x86_64 0:0.6.2-22.el7
libdhash.x86_64 0:0.4.3-22.el7
libini_config.x86_64 0:1.0.0.1-22.el7
libipa_hbac.x86_64 0:1.11.2-65.el7
libpath_utils.x86_64 0:0.2.1-22.el7
libref_array.x86_64 0:0.1.3-22.el7
libsss_idmap.x86_64 0:1.11.2-65.el7
python-sssdconfig.noarch 0:1.11.2-65.el7
sssd-ad.x86_64 0:1.11.2-65.el7
sssd-common.x86_64 0:1.11.2-65.el7
sssd-common-pac.x86_64 0:1.11.2-65.el7
sssd-ipa.x86_64 0:1.11.2-65.el7
sssd-krb5.x86_64 0:1.11.2-65.el7
sssd-krb5-common.x86_64 0:1.11.2-65.el7
sssd-ldap.x86_64 0:1.11.2-65.el7
sssd-proxy.x86_64 0:1.11.2-65.el7
Complete!
[root@server3 Desktop]# authconfig-gtk
Full path required for exclude: net:[4026532297].
Full path required for exclude: net:[4026532297].
[root@server3 Desktop]# systemctl status sssd.service
sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
Active: active (running) since Mon 2015-06-08 05:45:42 IST; 8s
ago
Process: 4195 ExecStart=/usr/sbin/sssd -D -f (code=exited,
status=0/SUCCESS)
Main PID: 4196 (sssd)
CGroup: /system.slice/sssd.service
??4196 /usr/sbin/sssd -D -f
??4197 /usr/libexec/sssd/sssd_be --domain default
--debug-to-fi...
??4198 /usr/libexec/sssd/sssd_nss --debug-to-files
??4199 /usr/libexec/sssd/sssd_pam --debug-to-files
??4200 /usr/libexec/sssd/sssd_autofs --debug-to-files
Jun 08 05:45:37 server3.example.com sssd[4196]: Starting up

Jun 08 05:45:42 server3.example.com sssd[be[4197]: Starting up
Jun 08 05:45:42 server3.example.com systemd[1]: Started System
Security Se...
This verifies that the host can authenticate and shows that
Kerberos authentication configuration is correct.
kinit -k or kinit username
[root@server3 Desktop]# getent passwd ldapuser3
ldapuser3:*:1703:1703:LDAP Test User
3:/home/guests/ldapuser3:/bin/bash
[root@server3 Desktop]# i am assuming user arora as ldapuser3
because it should be a network user and i dont have a network
user by the name arora
bash: i: command not found...
[root@server3 Desktop]# mkdir -p /restricted/protected
[root@server3 Desktop]# chown ldapuser3:ldapuser3

/restricted/protected
[root@server3 Desktop]# chmod 777 /restricted/protected
[root@server3 Desktop]# wget -O /etc/krb5.keytab

http://station.network10.example.com/pub/keytabs/system2.network3
.keytab
[root@server3 Desktop]# systemctl enable nfs-secure-

server.service
ln -s '/usr/lib/systemd/system/nfs-secure-server.service'
'/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'
[root@server3 Desktop]# systemctl start nfs-secure-server.service
[root@server3 Desktop]# exportfs -rv

exporting *.example.com:/restricted/protected
exporting *.example.com:/common
[root@server3 Desktop]# ssh desktop3

=================================================================
=================================================================
==============
10.
* Configure nfs mount.

- Mount /common directory on Desktop under /public
directory persistently at system boot time.
- Mount /restricted/protected with krb5p secured
share on system1 beneath /secure provided with
keytab
http://classroom.example.com/pub/keytabs/serverX.keytab
[root@desktop3 ~]# rpm -qa nfs-utils
nfs-utils-1.3.0-0.el7.x86_64
[root@desktop3 ~]# showmount -e server3
Export list for server3:
/restricted/protected *.example.com
/common *.example.com
[root@desktop3 ~]# echo "server3:/common /public nfs defaults 0
0" >>/etc/fstab
[root@desktop3 ~]# mkdir -p /public
[root@desktop3 ~]# mount -a
[root@desktop3 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/vda1 10G 3.1G 7.0G 31% /
devtmpfs 906M 0 906M 0% /dev
tmpfs 921M 80K 921M 1% /dev/shm
tmpfs 921M 17M 904M 2% /run
tmpfs 921M 0 921M 0% /sys/fs/cgroup
server3:/common 10G 3.1G 7.0G 31% /public
[root@desktop3 ~]#
[root@desktop3 ~]# yum install authconfig-gtk sssd krb5-
workstation -y
---> Package authconfig-gtk.x86_64 0:6.2.8-8.el7 will be
installed
---> Package krb5-workstation.x86_64 0:1.11.3-49.el7 will be
installed
---> Package sssd.x86_64 0:1.11.2-65.el7 will be installed
--> Processing Dependency: python-sssdconfig = 1.11.2-65.el7 for
--> Processing Dependency: sssd-ad = 1.11.2-65.el7 for package:
sssd-1.11.2-65.el7.x86_64
--> Processing Dependency: sssd-common = 1.11.2-65.el7 for
--> Processing Dependency: sssd-common-pac = 1.11.2-65.el7 for
--> Processing Dependency: sssd-ipa = 1.11.2-65.el7 for package:
sssd-1.11.2-65.el7.x86_64
--> Processing Dependency: sssd-krb5 = 1.11.2-65.el7 for package:
sssd-1.11.2-65.el7.x86_64
--> Processing Dependency: sssd-ldap = 1.11.2-65.el7 for package:
sssd-1.11.2-65.el7.x86_64
--> Processing Dependency: sssd-proxy = 1.11.2-65.el7 for
---> Package python-sssdconfig.noarch 0:1.11.2-65.el7 will be
installed
---> Package sssd-ad.x86_64 0:1.11.2-65.el7 will be installed
--> Processing Dependency: sssd-krb5-common = 1.11.2-65.el7 for
--> Processing Dependency: libdhash.so.1()(64bit) for package:
sssd-ad-1.11.2-65.el7.x86_64
--> Processing Dependency: libsss_idmap.so.0()(64bit) for
--> Processing Dependency: libsss_krb5_common.so()(64bit) for
---> Package sssd-common.x86_64 0:1.11.2-65.el7 will be installed
--> Processing Dependency: libini_config >= 1.0.0.1 for package:
--> Processing Dependency: libcares.so.2()(64bit) for package:
--> Processing Dependency: libcollection.so.2()(64bit) for
--> Processing Dependency: libini_config.so.3()(64bit) for
---> Package sssd-common-pac.x86_64 0:1.11.2-65.el7 will be
installed
---> Package sssd-ipa.x86_64 0:1.11.2-65.el7 will be installed
--> Processing Dependency: libipa_hbac(x86-64) = 1.11.2-65.el7
for package: sssd-ipa-1.11.2-65.el7.x86_64
--> Processing Dependency: libipa_hbac.so.0()(64bit) for package:
sssd-ipa-1.11.2-65.el7.x86_64
---> Package sssd-krb5.x86_64 0:1.11.2-65.el7 will be installed
---> Package sssd-ldap.x86_64 0:1.11.2-65.el7 will be installed
---> Package sssd-proxy.x86_64 0:1.11.2-65.el7 will be installed
---> Package c-ares.x86_64 0:1.10.0-3.el7 will be installed
---> Package libcollection.x86_64 0:0.6.2-22.el7 will be
installed
---> Package libdhash.x86_64 0:0.4.3-22.el7 will be installed
---> Package libini_config.x86_64 0:1.0.0.1-22.el7 will be
installed
--> Processing Dependency: libbasicobjects.so.0()(64bit) for
--> Processing Dependency: libpath_utils.so.1()(64bit) for
--> Processing Dependency: libref_array.so.1()(64bit) for
---> Package libipa_hbac.x86_64 0:1.11.2-65.el7 will be installed
---> Package libsss_idmap.x86_64 0:1.11.2-65.el7 will be
installed
---> Package sssd-krb5-common.x86_64 0:1.11.2-65.el7 will be
installed
--> Processing Dependency: cyrus-sasl-gssapi(x86-64) for package:
sssd-krb5-common-1.11.2-65.el7.x86_64
---> Package cyrus-sasl-gssapi.x86_64 0:2.1.26-17.el7 will be
installed
---> Package libbasicobjects.x86_64 0:0.1.0-22.el7 will be
installed
---> Package libpath_utils.x86_64 0:0.2.1-22.el7 will be
installed
---> Package libref_array.x86_64 0:0.1.3-22.el7 will be installed
=================================================================
============
Repository Size
=================================================================
============
Installing:
authconfig-gtk x86_64 6.2.8-8.el7 rhel_dvd
105 k
krb5-workstation x86_64 1.11.3-49.el7 rhel_dvd
724 k
sssd x86_64 1.11.2-65.el7 rhel_dvd
65 k
c-ares x86_64 1.10.0-3.el7 rhel_dvd
78 k
cyrus-sasl-gssapi x86_64 2.1.26-17.el7 rhel_dvd
40 k
libbasicobjects x86_64 0.1.0-22.el7 rhel_dvd
24 k
libcollection x86_64 0.6.2-22.el7 rhel_dvd
39 k
libdhash x86_64 0.4.3-22.el7 rhel_dvd
27 k
libini_config x86_64 1.0.0.1-22.el7 rhel_dvd
49 k
libipa_hbac x86_64 1.11.2-65.el7 rhel_dvd
71 k
libpath_utils x86_64 0.2.1-22.el7 rhel_dvd
27 k
libref_array x86_64 0.1.3-22.el7 rhel_dvd
25 k
libsss_idmap x86_64 1.11.2-65.el7 rhel_dvd
76 k
python-sssdconfig noarch 1.11.2-65.el7 rhel_dvd
96 k
sssd-ad x86_64 1.11.2-65.el7 rhel_dvd
167 k
sssd-common x86_64 1.11.2-65.el7 rhel_dvd
1.2 M
sssd-common-pac x86_64 1.11.2-65.el7 rhel_dvd
120 k
sssd-ipa x86_64 1.11.2-65.el7 rhel_dvd
271 k
sssd-krb5 x86_64 1.11.2-65.el7 rhel_dvd
108 k
sssd-krb5-common x86_64 1.11.2-65.el7 rhel_dvd
201 k
sssd-ldap x86_64 1.11.2-65.el7 rhel_dvd
202 k
sssd-proxy x86_64 1.11.2-65.el7 rhel_dvd
115 k
Transaction Summary
=================================================================
============

(1/22): c-ares-1.10.0-3.el7.x86_64.rpm | 78 kB
00:00
(2/22): authconfig-gtk-6.2.8-8.el7.x86_64.rpm | 105 kB
00:00
(3/22): cyrus-sasl-gssapi-2.1.26-17.el7.x86_64.rpm | 40 kB
00:00
(4/22): libbasicobjects-0.1.0-22.el7.x86_64.rpm | 24 kB
00:00
(5/22): libcollection-0.6.2-22.el7.x86_64.rpm | 39 kB
00:00
(6/22): libdhash-0.4.3-22.el7.x86_64.rpm | 27 kB
00:00
(7/22): libini_config-1.0.0.1-22.el7.x86_64.rpm | 49 kB
00:00
(8/22): libipa_hbac-1.11.2-65.el7.x86_64.rpm | 71 kB
00:00
(9/22): libpath_utils-0.2.1-22.el7.x86_64.rpm | 27 kB
00:00
(10/22): libref_array-0.1.3-22.el7.x86_64.rpm | 25 kB
00:00
(11/22): libsss_idmap-1.11.2-65.el7.x86_64.rpm | 76 kB
00:00
(12/22): python-sssdconfig-1.11.2-65.el7.noarch.rpm | 96 kB
00:00
(13/22): sssd-1.11.2-65.el7.x86_64.rpm | 65 kB
00:00
(14/22): krb5-workstation-1.11.3-49.el7.x86_64.rpm | 724 kB
00:00
(15/22): sssd-ad-1.11.2-65.el7.x86_64.rpm | 167 kB
00:00
(16/22): sssd-common-pac-1.11.2-65.el7.x86_64.rpm | 120 kB
00:00
(17/22): sssd-ipa-1.11.2-65.el7.x86_64.rpm | 271 kB
00:00
(18/22): sssd-krb5-1.11.2-65.el7.x86_64.rpm | 108 kB
00:00
(19/22): sssd-krb5-common-1.11.2-65.el7.x86_64.rpm | 201 kB
00:00
(20/22): sssd-ldap-1.11.2-65.el7.x86_64.rpm | 202 kB
00:00
(21/22): sssd-proxy-1.11.2-65.el7.x86_64.rpm | 115 kB
00:00
(22/22): sssd-common-1.11.2-65.el7.x86_64.rpm | 1.2 MB
00:00
-----------------------------------------------------------------
------------
00:01
Running transaction
Installing : libdhash-0.4.3-22.el7.x86_64
1/22
Installing : libsss_idmap-1.11.2-65.el7.x86_64
2/22
Installing : libcollection-0.6.2-22.el7.x86_64
3/22
Installing : libpath_utils-0.2.1-22.el7.x86_64
4/22
Installing : libipa_hbac-1.11.2-65.el7.x86_64
5/22
Installing : libbasicobjects-0.1.0-22.el7.x86_64
6/22
Installing : libref_array-0.1.3-22.el7.x86_64
7/22
Installing : libini_config-1.0.0.1-22.el7.x86_64
8/22
Installing : c-ares-1.10.0-3.el7.x86_64
9/22
Installing : sssd-common-1.11.2-65.el7.x86_64
10/22
Installing : sssd-common-pac-1.11.2-65.el7.x86_64
11/22
Installing : sssd-proxy-1.11.2-65.el7.x86_64
12/22
Installing : cyrus-sasl-gssapi-2.1.26-17.el7.x86_64
13/22
Installing : sssd-krb5-common-1.11.2-65.el7.x86_64
14/22
Installing : sssd-ipa-1.11.2-65.el7.x86_64
15/22
Installing : sssd-krb5-1.11.2-65.el7.x86_64
16/22
Installing : sssd-ldap-1.11.2-65.el7.x86_64
17/22
Installing : sssd-ad-1.11.2-65.el7.x86_64
18/22
Installing : python-sssdconfig-1.11.2-65.el7.noarch
19/22
Installing : sssd-1.11.2-65.el7.x86_64
20/22
Installing : authconfig-gtk-6.2.8-8.el7.x86_64
21/22
Installing : krb5-workstation-1.11.3-49.el7.x86_64
22/22
Verifying : libcollection-0.6.2-22.el7.x86_64
1/22
Verifying : krb5-workstation-1.11.3-49.el7.x86_64
2/22
Verifying : python-sssdconfig-1.11.2-65.el7.noarch
3/22
Verifying : sssd-ipa-1.11.2-65.el7.x86_64
4/22
Verifying : cyrus-sasl-gssapi-2.1.26-17.el7.x86_64
5/22
Verifying : libsss_idmap-1.11.2-65.el7.x86_64
6/22
Verifying : sssd-proxy-1.11.2-65.el7.x86_64
7/22
Verifying : sssd-common-1.11.2-65.el7.x86_64
8/22
Verifying : sssd-krb5-common-1.11.2-65.el7.x86_64
9/22
Verifying : authconfig-gtk-6.2.8-8.el7.x86_64
10/22
Verifying : sssd-krb5-1.11.2-65.el7.x86_64
11/22
Verifying : c-ares-1.10.0-3.el7.x86_64
12/22
Verifying : libini_config-1.0.0.1-22.el7.x86_64
13/22
Verifying : libref_array-0.1.3-22.el7.x86_64
14/22
Verifying : libdhash-0.4.3-22.el7.x86_64
15/22
Verifying : sssd-ldap-1.11.2-65.el7.x86_64
16/22
Verifying : sssd-ad-1.11.2-65.el7.x86_64
17/22
Verifying : libbasicobjects-0.1.0-22.el7.x86_64
18/22
Verifying : sssd-common-pac-1.11.2-65.el7.x86_64
19/22
Verifying : libipa_hbac-1.11.2-65.el7.x86_64
20/22
Verifying : sssd-1.11.2-65.el7.x86_64
21/22
Verifying : libpath_utils-0.2.1-22.el7.x86_64
22/22
Installed:
authconfig-gtk.x86_64 0:6.2.8-8.el7
krb5-workstation.x86_64 0:1.11.3-49.el7
sssd.x86_64 0:1.11.2-65.el7
c-ares.x86_64 0:1.10.0-3.el7
cyrus-sasl-gssapi.x86_64 0:2.1.26-17.el7
libbasicobjects.x86_64 0:0.1.0-22.el7
libcollection.x86_64 0:0.6.2-22.el7
libdhash.x86_64 0:0.4.3-22.el7
libini_config.x86_64 0:1.0.0.1-22.el7
libipa_hbac.x86_64 0:1.11.2-65.el7
libpath_utils.x86_64 0:0.2.1-22.el7
libref_array.x86_64 0:0.1.3-22.el7
libsss_idmap.x86_64 0:1.11.2-65.el7
python-sssdconfig.noarch 0:1.11.2-65.el7
sssd-ad.x86_64 0:1.11.2-65.el7
sssd-common.x86_64 0:1.11.2-65.el7
sssd-common-pac.x86_64 0:1.11.2-65.el7
sssd-ipa.x86_64 0:1.11.2-65.el7
sssd-krb5.x86_64 0:1.11.2-65.el7
sssd-krb5-common.x86_64 0:1.11.2-65.el7
sssd-ldap.x86_64 0:1.11.2-65.el7
sssd-proxy.x86_64 0:1.11.2-65.el7
Complete!
[root@desktop3 ~]#
[root@desktop3 ~]# systemctl enable nfs-secure.service
ln -s '/usr/lib/systemd/system/nfs-secure.service'
'/etc/systemd/system/nfs.target.wants/nfs-secure.service'
[root@desktop3 ~]#
[root@desktop3 ~]# authconfig-gtk

Unable to initialize graphical environment. Most likely cause of
failure
is that the tool was not run using a graphical environment.
Please either
start your graphical user interface or set your DISPLAY variable.
[root@server3 Desktop]# ssh -X desktop3

/usr/bin/xauth: file /root/.Xauthority does not exist
(process:32066): dconf-WARNING **: failed to commit changes to

dconf: Could not connect: Connection refused
[root@desktop3 ~]# authconfig-gtk
[root@desktop3 ~]# systemctl status sssd
sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
11s ago
Process: 32181 ExecStart=/usr/sbin/sssd -D -f (code=exited,
status=0/SUCCESS)
Main PID: 32182 (sssd)
CGroup: /system.slice/sssd.service
??32182 /usr/sbin/sssd -D -f
??32183 /usr/libexec/sssd/sssd_be --domain default
--debug-to-f...
??32184 /usr/libexec/sssd/sssd_nss --debug-to-files
??32185 /usr/libexec/sssd/sssd_pam --debug-to-files
??32186 /usr/libexec/sssd/sssd_autofs --debug-to-files
Jun 08 06:00:49 desktop3.example.com sssd[32182]: Starting up

Jun 08 06:00:53 desktop3.example.com sssd[be[32183]: Starting up
Jun 08 06:00:53 desktop3.example.com systemd[1]: Started System
Security S...
[root@desktop3 ~]#
[root@desktop3 ~]# getent passwd ldapuser3
ldapuser3:*:1703:1703:LDAP Test User
3:/home/guests/ldapuser3:/bin/bash
[root@desktop3 ~]# wget -O /etc/krb5.keytab
http://station.network10.example.com/pub/keytabs/system1.network3
.keytab
Resolving classroom.example.com (classroom.example.com)...

172.25.254.254
Connecting to classroom.example.com (classroom.example.com)|
172.25.254.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1258 (1.2K)
Saving to: ‘/etc/krb5.keytab’
100%[===================================>] 1,258 --.-K/s

in 0s
2015-06-08 06:03:11 (165 MB/s) - ‘/etc/krb5.keytab’ saved

[1258/1258]
[root@desktop3 ~]#
[root@desktop3 ~]# systemctl start nfs-secure.service

[root@desktop3 ~]#
[root@desktop3 ~]# showmount -e server3
Export list for server3:
/restricted/protected *.example.com
/common *.example.com
[root@desktop3 ~]# echo "server3:/restricted/protected /secure
nfs defaults,sec=krb5p 0 0" >>/etc/fstab
[root@desktop3 ~]# cat /etc/fstab
#
# /etc/fstab
# Created by anaconda on Wed May 7 01:22:57 2014
#
# Accessible filesystems, by reference, are maintained under
'/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for
more info
#
UUID=9bf6b9f7-92ad-441b-848e-0257cbb883d1 /
xfs defaults 1 1
server3:/common /public nfs defaults 0 0
server3:/restricted/protected /secure nfs defaults,sec=krb5p 0 0
[root@desktop3 ~]# mkdir
[root@desktop3 ~]# mkdir -p /secure
/dev/vda1 10G 3.1G 7.0G 31% /
tmpfs 921M 0 921M 0%
/sys/fs/cgroup
server3:/restricted/protected 10G 3.1G 7.0G 31% /secure
[root@desktop3 ~]#
=================================================================
=================================================================
=======================
11.
* Configure smb access.

- Share the /common directory via SMB from Server:
– Your SMB server must be a member of the SMBGROUP
workgroup
– The share’s name must be common
– The common share must be available to example.com
(172.25.X.0/24, X is the foundation machine no.) domain clients
only
– The common share must be browseable
– susan must have read access to the share,
authenticating with the same password
password, if necessary
- Configure the Server to share /cloudshare with SMB

share name must be OPENGROUP.
- The user frankenstein has read/write acces to
the /cloudshare SMB share.
- The user martin has read access to the /cloudshare
SMB share.
- Both users should have the SMB passwd "SaniTago".
[root@server3 Desktop]# yum install samba samba-client samba-
winbind -y
Package samba-4.1.1-31.el7.x86_64 already installed and latest
version
Package samba-client-4.1.1-31.el7.x86_64 already installed and
latest version
---> Package samba-winbind.x86_64 0:4.1.1-31.el7 will be
installed
--> Processing Dependency: samba-winbind-modules = 4.1.1-31.el7
for package: samba-winbind-4.1.1-31.el7.x86_64
---> Package samba-winbind-modules.x86_64 0:4.1.1-31.el7 will be
installed
--> Processing Dependency: libiniparser.so.0()(64bit) for
package: samba-winbind-modules-4.1.1-31.el7.x86_64
---> Package iniparser.x86_64 0:3.1-5.el7 will be installed
=================================================================
============
Repository Size
=================================================================
============
Installing:
samba-winbind x86_64 4.1.1-31.el7
rhel_dvd 449 k
iniparser x86_64 3.1-5.el7
rhel_dvd 14 k
samba-winbind-modules x86_64 4.1.1-31.el7
rhel_dvd 95 k
Transaction Summary
=================================================================
============
Install 1 Package (+2 Dependent packages)
Total download size: 558 k

(1/3): iniparser-3.1-5.el7.x86_64.rpm | 14 kB
00:00
(2/3): samba-winbind-modules-4.1.1-31.el7.x86_64.rpm | 95 kB
00:00
(3/3): samba-winbind-4.1.1-31.el7.x86_64.rpm | 449 kB
00:00
-----------------------------------------------------------------
------------
Total 808 kB/s | 558 kB
00:00
Running transaction
Installing : iniparser-3.1-5.el7.x86_64
1/3
Installing : samba-winbind-modules-4.1.1-31.el7.x86_64
2/3
Installing : samba-winbind-4.1.1-31.el7.x86_64
3/3
Verifying : iniparser-3.1-5.el7.x86_64
1/3
Verifying : samba-winbind-4.1.1-31.el7.x86_64
2/3
Verifying : samba-winbind-modules-4.1.1-31.el7.x86_64
3/3
Installed:
samba-winbind.x86_64 0:4.1.1-31.el7
iniparser.x86_64 0:3.1-5.el7 samba-winbind-modules.x86_64
0:4.1.1-31.el7
Complete!
[root@server3 Desktop]# yum install samba-common -y
Package samba-common-4.1.1-31.el7.x86_64 already installed and
latest version
Nothing to do
[root@server3 Desktop]# systemctl enable smb.service nmb.service
ln -s '/usr/lib/systemd/system/smb.service'
'/etc/systemd/system/multi-user.target.wants/smb.service'
ln -s '/usr/lib/systemd/system/nmb.service'
'/etc/systemd/system/multi-user.target.wants/nmb.service'
[root@server3 Desktop]# systemctl start smb.service nmb.service
service=samba
success
success
[root@server3 Desktop]# vim /etc/samba/smb.conf
[root@server3 Desktop]# mkdir /common
mkdir: cannot create directory ‘/common’: File exists
[root@server3 Desktop]# chcon -t samba_share_t /common/
[root@server3 Desktop]# useradd susan
[root@server3 Desktop]# smbpasswd -a susan
New SMB password:
Retype new SMB password:
Added user susan.
[root@server3 Desktop]# smbpasswd -a susan
New SMB password:
[root@server3 Desktop]# testparm

Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[common]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
workgroup = MYGROUP
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
idmap config * : backend = tdb
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No
[common]
comment = "This is test share"
path = /common
valid users = susan
hosts allow = 172.25.3.0/24
[root@server3 Desktop]# systemctl restart smb.service nmb.service
=================================================================
=================================================================
=====================
12.
* smb mount.
- On Desktop mount the samba share /cloudshare
permanently beneath /mnt/smbspace as a multiuser mount.
- the samba share should be mounted with the
credentials of frankenstein.
[root@desktop3 ~]# yum install samba samba-common samba-client

samba-winbind -y
Package samba-common-4.1.1-31.el7.x86_64 already installed and
latest version
---> Package samba.x86_64 0:4.1.1-31.el7 will be installed
---> Package samba-client.x86_64 0:4.1.1-31.el7 will be installed
---> Package samba-winbind.x86_64 0:4.1.1-31.el7 will be
installed
--> Processing Dependency: samba-winbind-modules = 4.1.1-31.el7
for package: samba-winbind-4.1.1-31.el7.x86_64
---> Package samba-winbind-modules.x86_64 0:4.1.1-31.el7 will be
installed
--> Processing Dependency: libiniparser.so.0()(64bit) for
package: samba-winbind-modules-4.1.1-31.el7.x86_64
---> Package iniparser.x86_64 0:3.1-5.el7 will be installed
=================================================================
============
Repository Size
=================================================================
============
Installing:
samba x86_64 4.1.1-31.el7
rhel_dvd 527 k
samba-client x86_64 4.1.1-31.el7
rhel_dvd 513 k
samba-winbind x86_64 4.1.1-31.el7
rhel_dvd 449 k
iniparser x86_64 3.1-5.el7
rhel_dvd 14 k
samba-winbind-modules x86_64 4.1.1-31.el7
rhel_dvd 95 k
Transaction Summary
=================================================================
============

(1/5): iniparser-3.1-5.el7.x86_64.rpm | 14 kB
00:00
(2/5): samba-4.1.1-31.el7.x86_64.rpm | 527 kB
00:00
(3/5): samba-client-4.1.1-31.el7.x86_64.rpm | 513 kB
00:00
(4/5): samba-winbind-modules-4.1.1-31.el7.x86_64.rpm | 95 kB
00:00
(5/5): samba-winbind-4.1.1-31.el7.x86_64.rpm | 449 kB
00:00
-----------------------------------------------------------------
------------
00:00
Running transaction
Installing : iniparser-3.1-5.el7.x86_64
1/5
Installing : samba-winbind-modules-4.1.1-31.el7.x86_64
2/5
Installing : samba-winbind-4.1.1-31.el7.x86_64
3/5
Installing : samba-4.1.1-31.el7.x86_64
4/5
Installing : samba-client-4.1.1-31.el7.x86_64
5/5
Verifying : samba-client-4.1.1-31.el7.x86_64
1/5
Verifying : samba-winbind-modules-4.1.1-31.el7.x86_64
2/5
Verifying : iniparser-3.1-5.el7.x86_64
3/5
Verifying : samba-4.1.1-31.el7.x86_64
4/5
Verifying : samba-winbind-4.1.1-31.el7.x86_64
5/5
Installed:
samba.x86_64 0:4.1.1-31.el7 samba-client.x86_64
0:4.1.1-31.el7
samba-winbind.x86_64 0:4.1.1-31.el7
iniparser.x86_64 0:3.1-5.el7 samba-winbind-modules.x86_64
0:4.1.1-31.el7
Complete!
[root@desktop3 ~]#
[root@desktop3 ~]# systemctl enable samba.service nmb.service
ln -s '/usr/lib/systemd/system/smb.service'
'/etc/systemd/system/multi-user.target.wants/smb.service'
ln -s '/usr/lib/systemd/system/nmb.service'
'/etc/systemd/system/multi-user.target.wants/nmb.service'
[root@desktop3 ~]# systemctl start smb.service nmb.service
[root@desktop3 ~]# firewall-cmd --permanent --add-service=samba
success
[root@desktop3 ~]# firewall-cmd --reload
success
[root@desktop3 ~]# mkdir /cloudshare
[root@desktop3 ~]# chmod 777 /cloudshare
[root@desktop3 ~]# chcon -t samba_share_t /cloudshare
[root@desktop3 ~]# vim /etc/samba/smb.conf
[root@desktop3 ~]# useradd martin
[root@desktop3 ~]# useradd frankenstein
[root@desktop3 ~]# smbpasswd -a frankenstein
New SMB password:
Added user frankenstein.
[root@desktop3 ~]# smbpasswd -a martin
New SMB password:
Added user martin.
[root@desktop3 ~]# systemctl restart smb.service nmb.service
[root@desktop3 ~]#
[root@desktop3 ~]# ssh desktop3
The authenticity of host 'desktop3 (172.25.3.10)' can't be
established.
eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? ^C
[root@desktop3 ~]# ssh server3
The authenticity of host 'server3 (172.25.3.11)' can't be
established.
eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server3,172.25.3.11' (ECDSA) to the
list of known hosts.
root@server3's password:
Last login: Mon Jun 8 05:05:13 2015
[root@server3 ~]# yum install cifs-utils -y
---> Package cifs-utils.x86_64 0:6.2-6.el7 will be installed
=================================================================
============
Package Arch Version Repository
Size
=================================================================
============
Installing:
cifs-utils x86_64 6.2-6.el7 rhel_dvd
83 k
Transaction Summary
=================================================================
============
Install 1 Package

Installed size: 174 k
cifs-utils-6.2-6.el7.x86_64.rpm | 83 kB
00:00
Running transaction
Installing : cifs-utils-6.2-6.el7.x86_64
1/1
Verifying : cifs-utils-6.2-6.el7.x86_64
1/1
Installed:
cifs-utils.x86_64 0:6.2-6.el7
Complete!
[root@server3 ~]# echo "//desktop3/OPENGROUP /mnt/smbspace cifs
defaults,multiuser,sec=ntlmssp,credentials=/root/pass 0 0"
>>/etc/fstab
[root@server3 ~]# vim /root/pass
[root@server3 ~]# mkdir -p /mnt/smbspace
[root@server3 ~]# mount -a
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
[root@server3 ~]#
[root@server3 ~]# vim /etc/fstab
[root@server3 ~]# smbclient -L //desktop3
Enter root's password:
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment

--------- ---- -------
OPENGROUP Disk
IPC$ IPC IPC Service (Samba Server Version
4.1.1)
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
DESKTOP3 Samba Server Version 4.1.1
SERVER3 Samba Server Version 4.1.1
Workgroup Master
--------- -------
MYGROUP SERVER3
[root@server3 ~]# cat /root/pass
username=frankenstein
password=SaniTago
[root@server3 ~]#
[root@server3 ~]# mount -a
[root@server3 ~]# logout
Connection to server3 closed.
[root@desktop3 ~]# cat /etc/samba/smb.conf
# This is the main Samba configuration file. For detailed
information about the
# options listed here, refer to the smb.conf(5) manual page.
Samba has a huge
# number of configurable options, most of which are not shown in
this example.
#
# The Official Samba 3.2.x HOWTO and Reference Guide contains
step-by-step
# guides for installing, configuring, and using Samba:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# The Samba-3 by Example guide has working examples for smb.conf.
This guide is
# generated daily: http://www.samba.org/samba/docs/Samba-
Guide.pdf
#
# In this file, lines starting with a semicolon (;) or a hash (#)
are
# comments and are ignored. This file uses hashes to denote
commentary and
# semicolons for parts of the file you may wish to configure.
#
# Note: Run the "testparm" command after modifying this file to
check for basic
# syntax errors.
#
#---------------
# Security-Enhanced Linux (SELinux) Notes:
#
# Turn the samba_domain_controller Boolean on to allow Samba to
use the useradd
# and groupadd family of binaries. Run the following command as
the root user to
# turn this Boolean on:
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share
home
# directories via Samba. Run the following command as the root
user to turn this
# Boolean on:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level
directory, label it
# with samba_share_t so that SELinux allows Samba to read and
write to it. Do
# not label system directories, such as /etc/ and /home/, with
samba_share_t, as
# such directories should already have an SELinux label.
#
# Run the "ls -ldZ /path/to/directory" command to view the
current SELinux
# label for a given directory.
#
# Set SELinux labels only on files and directories you have
created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is
relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to
share system
# directories. To share such directories and only allow read-only
permissions:
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy
them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow
smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/,
they retain
# their existing SELinux labels, which may be labels that SELinux
does not allow
# smbd to run. Copying the scripts will result in the correct
SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as
the root user to
# apply the correct SELinux labels to these files.
#
#--------------
#
#======================= Global Settings
=====================================
[global]
# ----------------------- Network-Related Options

-------------------------
#
# workgroup = the Windows NT domain name or workgroup name, for
example, MYGROUP.
#
# server string = the equivalent of the Windows NT Description
field.
#
# netbios name = used to specify a server name that is not tied
to the hostname.
#
# interfaces = used to configure Samba to listen on multiple
network interfaces.
# If you have multiple interfaces, you can use the "interfaces ="
option to
# configure which of those interfaces Samba listens on. Never
omit the localhost
# interface (lo).
#
# hosts allow = the hosts allowed to connect. This option can
also be used on a
# per-share basis.
#
# hosts deny = the hosts not allowed to connect. This option can
also be used on
# a per-share basis.
#
# max protocol = used to define the supported protocol. The
default is NT1. You
# can set it to SMB2 if you want experimental SMB2 support.
#
workgroup = MYGROUP
; netbios name = MYSERVER
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24

; hosts allow = 127. 192.168.12. 192.168.13.
; max protocol = SMB2
# --------------------------- Logging Options

-----------------------------
#
# log file = specify where log files are written to and how they
are split.
#
# max log size = specify the maximum size log files are allowed
to reach. Log
# files are rotated when they reach the size specified with "max
log size".
#
# log files split per-machine:

# maximum size of 50KB per log file, then rotate:
max log size = 50
# ----------------------- Standalone Server Options

------------------------
#
# security = the mode Samba runs in. This can be set to user,
share
# (deprecated), or server (deprecated).
#
# passdb backend = the backend used to store user information in.
New
# installations should use either tdbsam or ldapsam. No
additional configuration
# is required for tdbsam. The "smbpasswd" utility is available
for backwards
# compatibility.
#
security = user
passdb backend = tdbsam
# ----------------------- Domain Members Options

------------------------
#
# security = must be set to domain or ads.
#
New
for backwards
# compatibility.
#
# realm = only use the realm option when the "security = ads"
option is set.
# The realm option specifies the Active Directory realm the host
is a part of.
#
# password server = only use this option when the "security =
server"
# option is set, or if you cannot use DNS to locate a Domain
Controller. The
# argument list can include My_PDC_Name, [My_BDC_Name], and
[My_Next_BDC_Name]:
#
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
#
# Use "password server = *" to automatically locate Domain
Controllers.
; security = domain
; passdb backend = tdbsam
; realm = MY_REALM
; password server = <NT-Server-Name>
# ----------------------- Domain Controller Options

------------------------
#
# security = must be set to user for domain controllers.
#
New
for backwards
# compatibility.
#
# domain master = specifies Samba to be the Domain Master
Browser, allowing
# Samba to collate browse lists between subnets. Do not use the
"domain master"
# option if you already have a Windows NT domain controller
performing this task.
#
# domain logons = allows Samba to provide a network logon service
for Windows
# workstations.
#
# logon script = specifies a script to run at login time on the
client. These
# scripts must be provided in a share named NETLOGON.
#
# logon path = specifies (with a UNC path) where user profiles
are stored.
#
#
; security = user
; domain master = yes

; domain logons = yes
# the following login script name is determined by the

machine name
# (%m):
; logon script = %m.bat
# the following login script name is determined by the UNIX
user used:
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# use an empty path to disable profile support:
; logon path =
# various scripts can be used on a domain controller or a

stand-alone
# machine to add or delete corresponding UNIX accounts:
; add user script = /usr/sbin/useradd "%u" -n -g users

; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation
(%u)" -M -d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g"
# ----------------------- Browser Control Options

----------------------------
#
# local master = when set to no, Samba does not become the master
browser on
# your network. When set to yes, normal election rules apply.
#
# os level = determines the precedence the server has in master
browser
# elections. The default value should be reasonable.
#
# preferred master = when set to yes, Samba forces a local
browser election at
# start up (and gives itself a slightly higher chance of winning
the election).
#
; local master = no
; os level = 33
; preferred master = yes
#----------------------------- Name Resolution

-------------------------------
#
# This section details the support for the Windows Internet Name
Service (WINS).
#
# Note: Samba can be either a WINS server or a WINS client, but
not both.
#
# wins support = when set to yes, the NMBD component of Samba
enables its WINS
# server.
#
# wins server = tells the NMBD component of Samba to be a WINS
client.
#
# wins proxy = when set to yes, Samba answers name resolution
queries on behalf
# of a non WINS capable client. For this to work, there must be
at least one
# WINS server on the network. The default is no.
#
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS
names via DNS
# nslookups.
; wins support = yes
; wins server = w.x.y.z
; wins proxy = yes
; dns proxy = yes
# --------------------------- Printing Options

-----------------------------
#
# The options in this section allow you to configure a non-
default printing
# system.
#
# load printers = when set you yes, the list of printers is
automatically
# loaded, rather than setting them up individually.
#
# cups options = allows you to pass options to the CUPS library.
Setting this
# option to raw, for example, allows you to use drivers on your
Windows clients.
#
# printcap name = used to specify an alternative printcap file.
#
load printers = yes

cups options = raw
; printcap name = /etc/printcap

# obtain a list of printers automatically on UNIX System V
systems:
; printcap name = lpstat
; printing = cups
# --------------------------- File System Options

---------------------------
#
# The options in this section can be un-commented if the file
system supports
# extended attributes, and those attributes are enabled (usually
via the
# "user_xattr" mount option). These options allow the
administrator to specify
# that DOS attributes are stored in extended attributes and also
make sure that
# Samba does not change the permission bits.
#
# Note: These options can be used on a per-share basis. Setting
them globally
# (in the [global] section) makes them the default for all
shares.
; map archive = no
; map hidden = no
; map read only = no
; map system = no
; store dos attributes = yes
#============================ Share Definitions

==============================
[homes]
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S
[printers]
browseable = no
guest ok = no
writable = no
printable = yes
# Un-comment the following and create the netlogon directory for

Domain Logons:
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile

share.
# The default is to use the user's home directory:
; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes
# A publicly accessible directory that is read only, except for

users in the
# "staff" group (which have write permissions):
; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = +staff
[OPENGROUP]
path = /cloudshare
writable = no
valid users = frankenstein martin
write list = frankenstein
browseable = yes
[root@desktop3 ~]#
[root@desktop3 ~]# ssh server3
root@server3's password:
Last login: Mon Jun 8 06:22:46 2015 from desktop3.example.com
[root@server3 ~]# cat /etc/samba/smb.conf
# This is the main Samba configuration file. For detailed
information about the
# options listed here, refer to the smb.conf(5) manual page.
Samba has a huge
# number of configurable options, most of which are not shown in
this example.
#
# The Official Samba 3.2.x HOWTO and Reference Guide contains
step-by-step
# guides for installing, configuring, and using Samba:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# The Samba-3 by Example guide has working examples for smb.conf.
This guide is
# generated daily: http://www.samba.org/samba/docs/Samba-
Guide.pdf
#
# In this file, lines starting with a semicolon (;) or a hash (#)
are
# comments and are ignored. This file uses hashes to denote
commentary and
# semicolons for parts of the file you may wish to configure.
#
# Note: Run the "testparm" command after modifying this file to
check for basic
# syntax errors.
#
#---------------
# Security-Enhanced Linux (SELinux) Notes:
#
# Turn the samba_domain_controller Boolean on to allow Samba to
use the useradd
# and groupadd family of binaries. Run the following command as
the root user to
# turn this Boolean on:
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share
home
# directories via Samba. Run the following command as the root
user to turn this
# Boolean on:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level
directory, label it
# with samba_share_t so that SELinux allows Samba to read and
write to it. Do
# not label system directories, such as /etc/ and /home/, with
samba_share_t, as
# such directories should already have an SELinux label.
#
# Run the "ls -ldZ /path/to/directory" command to view the
current SELinux
# label for a given directory.
#
# Set SELinux labels only on files and directories you have
created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is
relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to
share system
# directories. To share such directories and only allow read-only
permissions:
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy
them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow
smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/,
they retain
# their existing SELinux labels, which may be labels that SELinux
does not allow
# smbd to run. Copying the scripts will result in the correct
SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as
the root user to
# apply the correct SELinux labels to these files.
#
#--------------
#
#======================= Global Settings
=====================================
[global]
# ----------------------- Network-Related Options

-------------------------
#
# workgroup = the Windows NT domain name or workgroup name, for
example, MYGROUP.
#
# server string = the equivalent of the Windows NT Description
field.
#
# netbios name = used to specify a server name that is not tied
to the hostname.
#
# interfaces = used to configure Samba to listen on multiple
network interfaces.
# If you have multiple interfaces, you can use the "interfaces ="
option to
# configure which of those interfaces Samba listens on. Never
omit the localhost
# interface (lo).
#
# hosts allow = the hosts allowed to connect. This option can
also be used on a
# per-share basis.
#
# hosts deny = the hosts not allowed to connect. This option can
also be used on
# a per-share basis.
#
# max protocol = used to define the supported protocol. The
default is NT1. You
# can set it to SMB2 if you want experimental SMB2 support.
#
workgroup = MYGROUP
; netbios name = MYSERVER
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24

; hosts allow = 127. 192.168.12. 192.168.13.
; max protocol = SMB2
# --------------------------- Logging Options

-----------------------------
#
# log file = specify where log files are written to and how they
are split.
#
# max log size = specify the maximum size log files are allowed
to reach. Log
# files are rotated when they reach the size specified with "max
log size".
#
# log files split per-machine:

# maximum size of 50KB per log file, then rotate:
max log size = 50
# ----------------------- Standalone Server Options

------------------------
#
# security = the mode Samba runs in. This can be set to user,
share
# (deprecated), or server (deprecated).
#
New
for backwards
# compatibility.
#
security = user
passdb backend = tdbsam
# ----------------------- Domain Members Options

------------------------
#
# security = must be set to domain or ads.
#
New
for backwards
# compatibility.
#
# realm = only use the realm option when the "security = ads"
option is set.
# The realm option specifies the Active Directory realm the host
is a part of.
#
# password server = only use this option when the "security =
server"
# option is set, or if you cannot use DNS to locate a Domain
Controller. The
# argument list can include My_PDC_Name, [My_BDC_Name], and
[My_Next_BDC_Name]:
#
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
#
# Use "password server = *" to automatically locate Domain
Controllers.
; security = domain
; realm = MY_REALM
; password server = <NT-Server-Name>
# ----------------------- Domain Controller Options

------------------------
#
# security = must be set to user for domain controllers.
#
New
for backwards
# compatibility.
#
# domain master = specifies Samba to be the Domain Master
Browser, allowing
# Samba to collate browse lists between subnets. Do not use the
"domain master"
# option if you already have a Windows NT domain controller
performing this task.
#
# domain logons = allows Samba to provide a network logon service
for Windows
# workstations.
#
# logon script = specifies a script to run at login time on the
client. These
# scripts must be provided in a share named NETLOGON.
#
# logon path = specifies (with a UNC path) where user profiles
are stored.
#
#
; security = user
; domain master = yes

; domain logons = yes
# the following login script name is determined by the
machine name
# (%m):
; logon script = %m.bat
# the following login script name is determined by the UNIX
user used:
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# use an empty path to disable profile support:
; logon path =
# various scripts can be used on a domain controller or a

stand-alone
# machine to add or delete corresponding UNIX accounts:
; add user script = /usr/sbin/useradd "%u" -n -g users

; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation
(%u)" -M -d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g"
# ----------------------- Browser Control Options

----------------------------
#
# local master = when set to no, Samba does not become the master
browser on
# your network. When set to yes, normal election rules apply.
#
# os level = determines the precedence the server has in master
browser
# elections. The default value should be reasonable.
#
# preferred master = when set to yes, Samba forces a local
browser election at
# start up (and gives itself a slightly higher chance of winning
the election).
#
; local master = no
; os level = 33
; preferred master = yes
#----------------------------- Name Resolution

-------------------------------
#
# This section details the support for the Windows Internet Name
Service (WINS).
#
# Note: Samba can be either a WINS server or a WINS client, but
not both.
#
# wins support = when set to yes, the NMBD component of Samba
enables its WINS
# server.
#
# wins server = tells the NMBD component of Samba to be a WINS
client.
#
# wins proxy = when set to yes, Samba answers name resolution
queries on behalf
# of a non WINS capable client. For this to work, there must be
at least one
# WINS server on the network. The default is no.
#
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS
names via DNS
# nslookups.
; wins support = yes

; wins server = w.x.y.z
; wins proxy = yes
; dns proxy = yes
# --------------------------- Printing Options

-----------------------------
#
# The options in this section allow you to configure a non-
default printing
# system.
#
# load printers = when set you yes, the list of printers is
automatically
# loaded, rather than setting them up individually.
#
# cups options = allows you to pass options to the CUPS library.
Setting this
# option to raw, for example, allows you to use drivers on your
Windows clients.
#
# printcap name = used to specify an alternative printcap file.
#
load printers = yes

cups options = raw
; printcap name = /etc/printcap

# obtain a list of printers automatically on UNIX System V
systems:
; printcap name = lpstat
; printing = cups
# --------------------------- File System Options
---------------------------
#
# The options in this section can be un-commented if the file
system supports
# extended attributes, and those attributes are enabled (usually
via the
# "user_xattr" mount option). These options allow the
administrator to specify
# that DOS attributes are stored in extended attributes and also
make sure that
# Samba does not change the permission bits.
#
# Note: These options can be used on a per-share basis. Setting
them globally
# (in the [global] section) makes them the default for all
shares.
; map archive = no
; map hidden = no
; map read only = no
; map system = no
; store dos attributes = yes
#============================ Share Definitions

==============================
[homes]
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S
[printers]
browseable = no
guest ok = no
writable = no
printable = yes
# Un-comment the following and create the netlogon directory for

Domain Logons:
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile
share.
# The default is to use the user's home directory:
; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes
# A publicly accessible directory that is read only, except for

users in the
# "staff" group (which have write permissions):
; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = +staff
[common]
path = /common
comment = "This is test share"
browseable = yes
writable = no
valid users = susan
hosts allow = 172.25.3.0/24
[root@server3 ~]#
[root@server3 ~]# df -h
/dev/vda1 10G 3.1G 7.0G 31% /
tmpfs 921M 0 921M 0% /sys/fs/cgroup
tmpfs 921M 17M 904M 2% /run/netns
//desktop3/OPENGROUP 10G 3.1G 7.0G 31% /mnt/smbspace
[root@server3 ~]#
=================================================================
==============================
13.
* Configure ISCSI storage on Server.

- Create a new 1GB iscsi_block target on your
system1.networkX.example.com.
- The server should export an iscsi disk called
iqn.2014-08.com.example.networkX:system1.
- This target should only be allowed to clients with
an IQN of
iqn-2014-08.com.example.networkX:system2
[root@server3 ~]#
[root@server3 Desktop]# in iscsi i am changinig initiator and

target address to the address whichever i have in my network
bash: syntax error near unexpected token `in'
[root@server3 Desktop]# yum install targetcli -y

---> Package targetcli.noarch 0:2.1.fb34-1.el7 will be installed
--> Processing Dependency: python-rtslib >= 2.1.fb41 for package:
targetcli-2.1.fb34-1.el7.noarch
--> Processing Dependency: python-configshell for package:
targetcli-2.1.fb34-1.el7.noarch
---> Package python-configshell.noarch 1:1.1.fb11-3.el7 will be
installed
--> Processing Dependency: pyparsing for package: 1:python-
configshell-1.1.fb11-3.el7.noarch
--> Processing Dependency: python-urwid for package: 1:python-
configshell-1.1.fb11-3.el7.noarch
---> Package python-rtslib.noarch 0:2.1.fb46-1.el7 will be
installed
--> Processing Dependency: python-kmod for package: python-
rtslib-2.1.fb46-1.el7.noarch
---> Package pyparsing.noarch 0:1.5.6-9.el7 will be installed
---> Package python-kmod.x86_64 0:0.9-4.el7 will be installed
---> Package python-urwid.x86_64 0:1.1.1-3.el7 will be installed
=================================================================
============
Repository Size
=================================================================
============
Installing:
targetcli noarch 2.1.fb34-1.el7
rhel_dvd 55 k
pyparsing noarch 1.5.6-9.el7
rhel_dvd 94 k
python-configshell noarch 1:1.1.fb11-3.el7
rhel_dvd 64 k
python-kmod x86_64 0.9-4.el7
rhel_dvd 57 k
python-rtslib noarch 2.1.fb46-1.el7
rhel_dvd 75 k
python-urwid x86_64 1.1.1-3.el7
rhel_dvd 654 k
Transaction Summary
=================================================================
============
Install 1 Package (+5 Dependent packages)

(1/6): pyparsing-1.5.6-9.el7.noarch.rpm | 94 kB
00:00
(2/6): python-configshell-1.1.fb11-3.el7.noarch.rpm | 64 kB
00:00
(3/6): python-kmod-0.9-4.el7.x86_64.rpm | 57 kB
00:00
(4/6): python-rtslib-2.1.fb46-1.el7.noarch.rpm | 75 kB
00:00
(5/6): targetcli-2.1.fb34-1.el7.noarch.rpm | 55 kB
00:00
(6/6): python-urwid-1.1.1-3.el7.x86_64.rpm | 654 kB
00:00
-----------------------------------------------------------------
------------
Total 1.1 MB/s | 998 kB
00:00
Running transaction
Installing : python-kmod-0.9-4.el7.x86_64
1/6
Installing : python-rtslib-2.1.fb46-1.el7.noarch
2/6
Installing : pyparsing-1.5.6-9.el7.noarch
3/6
Installing : python-urwid-1.1.1-3.el7.x86_64
4/6
Installing : 1:python-configshell-1.1.fb11-3.el7.noarch
5/6
Installing : targetcli-2.1.fb34-1.el7.noarch
6/6
Verifying : python-rtslib-2.1.fb46-1.el7.noarch
1/6
Verifying : python-urwid-1.1.1-3.el7.x86_64
2/6
Verifying : targetcli-2.1.fb34-1.el7.noarch
3/6
Verifying : 1:python-configshell-1.1.fb11-3.el7.noarch
4/6
Verifying : pyparsing-1.5.6-9.el7.noarch
5/6
Verifying : python-kmod-0.9-4.el7.x86_64
6/6
Installed:
targetcli.noarch 0:2.1.fb34-1.el7
pyparsing.noarch 0:1.5.6-9.el7
python-configshell.noarch 1:1.1.fb11-3.el7
python-kmod.x86_64 0:0.9-4.el7
python-rtslib.noarch 0:2.1.fb46-1.el7
python-urwid.x86_64 0:1.1.1-3.el7
Complete!
[root@server3 Desktop]# systemctl enable target.service
ln -s '/usr/lib/systemd/system/target.service'
'/etc/systemd/system/multi-user.target.wants/target.service'
[root@server3 Desktop]# systemctl start target.service
[root@server3 Desktop]# targetcli
Warning: Could not load preferences file
/root/.targetcli/prefs.bin.
targetcli shell version 2.1.fb34
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.
/> ls
o- / ............................................................
...... [...]
o-
backstores ......................................................
. [...]
| o- block ........................................... [Storage
Objects: 0]
| o- fileio .......................................... [Storage
Objects: 0]
| o- pscsi ........................................... [Storage
Objects: 0]
| o- ramdisk ......................................... [Storage
Objects: 0]
o- iscsi .....................................................
[Targets: 0]
o- loopback ..................................................
[Targets: 0]
/> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup.
Configuration saved to /etc/target/saveconfig.json
[root@server3 Desktop]# fdisk /dev/vdb

Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write

them.
Be careful before using the write command.
Device does not contain a recognized partition table

Building a new DOS disklabel with disk identifier 0x6715cfd0.
Command (m for help): n

Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p): e
Partition number (1-4, default 1):
First sector (2048-20971519, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-20971519, default
20971519):
Partition 1 of type Extended and of size 10 GiB is set
Command (m for help): w

The partition table has been altered!
Calling ioctl() to re-read partition table.

Syncing disks.
[root@server3 Desktop]# fdisk /dev/vdb

them.

Partition type:
l logical (numbered from 5)
Select (default p): l
Adding logical partition 5
20971519): +1G
Partition 5 of type Linux and of size 1 GiB is set


Syncing disks.
[root@server3 Desktop]# partprobe
[root@server3 Desktop]# targetcli
targetcli shell version 2.1.fb34
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.
/> cd /backstores/block
/backstores/block> create server3:disk1 /dev/vdb5
Created block storage object server3:disk1 using /dev/vdb5.
/backstores/block> cd ../../iscsi
/iscsi> create wwn=iqn.2015-06.com.example.server3
Created target iqn.2015-06.com.example.server3.
Created TPG 1.
/iscsi> cd iqn.2015-06.com.example.server3/tpg1/
iqn.2015-06.com.example.server3/tpg1/acls/
iqn.2015-06.com.example.server3/tpg1/luns/
iqn.2015-06.com.example.server3/tpg1/portals/
...........path
/iscsi> cd iqn.2015-06.com.example.server3/tpg1/
/iscsi> cd iqn.2015-06.com.example.server3/tpg1/acls
/iscsi/iqn.20...er3/tpg1/acls> create wwn=iqn.2015-
06.com.example.desktop3
Created Node ACL for iqn.2015-06.com.example.desktop3
/iscsi/iqn.20...er3/tpg1/acls> cd ../luns
/iscsi/iqn.20...er3/tpg1/luns> create
/backstores/block/server3:disk1
Created LUN 0.
Created LUN 0->0 mapping in node ACL iqn.2015-
06.com.example.desktop3
/iscsi/iqn.20...er3/tpg1/luns> cd ../portals
/iscsi/iqn.20.../tpg1/portals> create ip_address=172.25.3.11
ip_port=3260
Using default IP port 3260
Created network portal 172.25.3.11:3260.
/iscsi/iqn.20.../tpg1/portals> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup.
Configuration saved to /etc/target/saveconfig.json
[root@server3 Desktop]# systemctl restart target.service
port=3260/tcp
success
success
=================================================================
============================================
14.
* Configure ISCSI Initiator on Desktop

- The system1.networkX.example.com provides an iscsi
port(3260).
connect the disk with system2.networkX.example.com
and configure filesystem with
the following requirements.
- Create 800MB partition on ISCSI block device and
assign the filesystem as xfs.
- Mount the volume under /mnt/initiator at the system
boot time.
- The filesystem should contains the copy of
http://classroom.example.com/anaconda-ks.cfg.
- The file sould be owned by root with 0644
permission.
- NOTE: content of the file should not be modified.

[root@desktop3 ~]# rpm -qa iscsi*
iscsi-initiator-utils-iscsiuio-6.2.0.873-21.el7.x86_64
iscsi-initiator-utils-6.2.0.873-21.el7.x86_64
[root@desktop3 ~]# vim /etc/iscsi/initiatorname.iscsi
[root@desktop3 ~]# systemctl restart iscsid.service
[root@desktop3 ~]#
[root@desktop3 ~]# cat /etc/iscsi/initiatorname.iscsi

InitiatorName=iqn.2015-06.com.example.desktop3
[root@desktop3 ~]# iscsiadm -m discovery -t st -p 172.25.3.11
172.25.3.11:3260,1 iqn.2015-06.com.example.server3
[root@desktop3 ~]# iscsiadm -m node -T iqn.2015-
06.com.example.server3 -p 172.25.3.11 -l
Logging in to [iface: default, target: iqn.2015-
06.com.example.server3, portal: 172.25.3.11,3260] (multiple)
Login to [iface: default, target: iqn.2015-
06.com.example.server3, portal: 172.25.3.11,3260] successful.
[root@desktop3 ~]# fdisk -l
Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00013f3e
Device Boot Start End Blocks Id System

/dev/vda1 * 2048 20970332 10484142+ 83 Linux
Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors

Disk /dev/sda: 1073 MB, 1073741824 bytes, 2097152 sectors
[root@desktop3 ~]#
[root@desktop3 ~]# fdisk /dev/sda

them.
Device does not contain a recognized partition table

Building a new DOS disklabel with disk identifier 0xd62f64f5.

Partition type:
e extended
Select (default p):
Using default response p
Partition number (1-4, default 1):
2097151): +800M
Partition 1 of type Linux and of size 800 MiB is set


Syncing disks.
[root@desktop3 ~]#
[root@desktop3 ~]# partprobe
[root@desktop3 ~]# mkfs.ext4 /dev/sda1
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=1024 blocks
51296 inodes, 204800 blocks
10240 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=209715200
7 block groups
32768 blocks per group, 32768 fragments per group
7328 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840
Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
[root@desktop3 ~]#
[root@desktop3 ~]# blkid /dev/sda1
/dev/sda1: UUID="1cedc67b-08af-486a-99f5-3d3ce105e1b7"
TYPE="ext4"
[root@desktop3 ~]# echo "UUID=1cedc67b-08af-486a-99f5-
3d3ce105e1b7 /mnt/initiator ext4 _netdev 0 0" >>/etc/fstab
[root@desktop3 ~]# mkdir /mnt/initiator
/dev/vda1 10G 3.1G 7.0G 31% /
tmpfs 921M 0 921M 0%
/sys/fs/cgroup
server3:/restricted/protected 10G 3.1G 7.0G 31% /secure
/dev/sda1 772M 1.6M 714M 1%
/mnt/initiator
[root@desktop3 ~]#
=================================================================
==================
15.
* Mariadb
- Configure mariadb on Server,
- On system1, mariadb has corrupted due to some
issues.
anyhow you have the logical backup file
http://classroom.example.com/pub/mariadb.mdb
- Install a new mariadb server and restore the
database from the above provided file.
- Create a database called student
- Restore the database from the dump file
- A new ticket has been assigned to you to create new
remote access accounts
with the following information.
User
Accepts connection from host
Password
Privileges
andrew
localhost
andrew_password
select on all tables from student database
legacy
anyhost
legacy_password
select,insert,update,delete on all tables from student database
michael
localhost
michael_password
select on all tables from student database
#yum groupinstall mariadb mariadb-client -yes

#systemctl enable mariadb
#systemctl start mariadb
#firewall-cmd --permanent --add-service=mysql
#firewall-cmd --reload
Verify that MariaDB is listenning to all interfaces

#ss -tulpn |grep mqsql
#mysql -u root
#create database student
#mysql -u root student <
http://classroom.example.com/pub/mariadb.mdb
Verify the restored MariaDB

connec to mariadb again
#mqsql -u root ;
#use student ;
#SHOW TABLES
#DESCRIBE SERVERS
#CREATE USER andrew@localhost identified by 'andrew_password ' ;
#CREATE USER legacy@'%' identified by 'legacy_password' ;
#CREATE USER michael@localhost identified by 'michael_password' ;
#GRANT SELECT on student.* to andrew@localhost;

#GRANT SELECT, INSERT , UPDATE, DELETE, INSERT on student.* to
legacy@'%';
#GRANT SELECT on student.* to michael@localhost;
#FLUSH PRIVILEGES ;
#exit;
#
To query the datadir
mysqladmin variables |grep datadir

datadir /var/lib/mysql/
From desktopX system , validate the work
=================================================================
============
16.
* Mariadb Query.
- Enter the correct ID of X110 64GB product from the
table product
- Enter the name of the manufacturer of the product

ThinkServer TS140 from the appropriate tables
#use student
#DESCRIBE product
#INSERT INTO Product ( ) values ();
#INSERT INTO Product ( ) values ();
Ex
INSERT INTO manufacturer ( name,seller,phone_number )
values( 'HP','Joe Doe','+1 ( 432 ) 754 - 35 0 9') ;
Verify the Insert privilege
INSERT INTO Product (name ,ID ) VALUES ('ThinkServer','TS140') ;
Verify UPDATE privilege

UPDATE Product SET name= ' Solid State Drive' where id = 3 ;
Verify Delete
DELETE FROM Product WHERE name LIKE 'Memory' ;
=================================================================
=================================================================
===============
17.
* Script1
- create a script called /root/conditional with
following details.
- When run as /root/conditional postconf, should
bring the output as "postroll"
- When run as /root/conditional postroll, should
bring the output as "postconf"
- When run with any other argument or without
argument,
should bring the stderr as "/root/condition
postconf|postroll"
#vim /root/conditional
#!/bin/bash
case $@ in #Here
$@ means each argument is seen as a separate word, also we have
$# which represents the no of command line arguments passed to a
script.
postconf ) echo "Postroll";;
# also $? returns the exit status of the executed
command , upon completion , a commonds exit status is passed to
the parent process and stored in ? variable.
Postroll ) echo "postconf";;
*) echo "/root/conditional postconf | Postroll";;
esac
#chmod a+x /root/conditional
#vim /root/conditional
#!/bin/bash
if [ $1 == "postroll" ] then echo "postconf"
elif [ $1 == "postconf" ] then echo "postroll"
else echo "/root/condition postconf|postroll"
fi
=================================================================
=================================================================
==================
18.
* Script2
- Create a script called /root/makeusers
- When this script is called with the testfile
argument, it should add all the users from the file
- Download the file from
http://classroom.example.com/testfile
- All users should have the login shell as
/bin/false, password not required.
- When this script is called with anyother argument,
it should print the message as "Input File Not Found"
- When this script is run without any argument, it
should display "Usage: /root/makeusers"
- NOTE: If the users are added no need to delete.
#wget http://classroom.example.com/pub/testfile
#vim /root/makeusers
#!/bin/bash
a=""
case $@ in
testfile )
for b in `cat testfile`

do
useradd -s /bin/false $b;
done;;
$a )
echo "Usage:/root/makeusers";;
* )
echo "Input file Not Found";;
esac
#chmod a+x /root/makeusers
#!/bin/bash
if [ -f $1 ]
then
if [ -s $1 ]
then
user=`cat $1`
for i in $user
do
useradd $i
echo "The $i user has been created"
done
else
echo "$1 is empty file"
fi
else
echo "the $1 file is not exists"
fi
=================================================================
=================================================================
=====================
19.
* Webserver.
- Implement a webserver on Server for the site
http://serverX.example.com (172.25.X.0/24, X is the foundation
machine no.)
- Download the webpage from
http://classroom.example.com/rhce.html
- rename the downloaded file in to index.html.
- copy the file into the document root.
- Do not make any modification with the content of
the index.html.
yum install httpd httpd-manual
systemctl start httpd

systemctl enable httpd
firewall-cmd --permanent --add-service=http

firewall-cmd –reload
wget http://station.network0.example.com/pub/rhce/rhce.html
mv rhce.html /var/www/html/index.html
cd /etc/httpd/conf.d/
vim server1.conf
<VirtualHost *:80>
ServerAdmin webmaster@server1.example.com
ServerName server1.example.com
DocumentRoot /var/www/html
CustomLog "logs/server1_access_log" combined
ErrorLog "logs/server1_error_log"
</VirtualHost>
<Directory "/var/www/html">
<RequireAll>
Require all granted
Require not host my22ilt.org
</RequireAll>
</Directory>
systemctl restart httpd
=================================================================
=================================================================
=====================
20.
* secured webserver
- configure the website https://serverX.example.com
with TLS
- SSLCertificate file
http://classroom.example.com/pub/tls/certs/serverX.crt
- SSLCertificatekeyfile
http://classroom.example.co/pub/tls/private/serverX.key
- SSL CA certificate file
http://classroom.example.com/pub/example-ca.crt
yum install –u mod_ssl
wget
http://classroom.example.com/pub/rhce/tls/certs/system1.network1.
crt
wget
http://classroom.example.com/pub/rhce/tls/private/system1.network
1.key
wget http://classroom.example.com/pub/example-ca.crt
mv system1.network1.crt /etc/pki/tls/certs/
mv system1.network1.key /etc/pki/tls/private/
mv example-ca.crt /etc/pki/tls/certs/
# Very Important, Fix the Permission on Key File

chmod 0600 /etc/pki/tls/private/system1.network1.key
vim /etc/httpd/conf.d/server1.conf
(Add the following)
<VirtualHost *:443>
ServerName server1.example.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
</VirtualHost>
firewall-cmd --permanent --add-service=https

firewall-cmd –reload
=================================================================
=================================================================
=====================
21.
* webpage content modification.

- Implement website for
http://serverX.example.com/owndir
Create a directory named as "owndir" under the
document root of webserver
Download http://classroom.example.com/own.html
rename the file into index.html
The content of the restricted should be visible to
everyone browsing from your local system but should not be
accessible from other location
mkdir /var/www/html/owndir
restorecon –Rv /var/www/html
cd /var/www/html/owndir
wget http://station.network0.example.com/pub/rhce/restrict.html
mv restrict.html intex.html
vi /etc/httpd/conf.d/server1.conf
(Add this)
<Directory "/var/www/html/owndir">
AllowOverride None
Require all Denied
Require local
</Directory>
=================================================================
=================================================================
=====================
22.
* Virtual hosting.
- Setup a virtual host with an alternate document root
on Server. Extend your web to include a virtual for the site
http://wwwX.example.com
Set the document root as /srv/netX/vhosts
Download http://classroom.example.com/vhost.html
rename it as index.html
place this document root of the virtual host
- Note: The other websites configures for your server
must still be accessible.
wwwX.example.com is resolvable by the DNS
server in our lab.
Check that the mentioned document root exists by:
cd /usr/local/vhosts
If it doesn’t exist then create it:
mkdir /usr/local/vhosts
cd /usr/local/vhosts
wget http://station.network0.example.com/pub/rhce/vhost.html
mv vhost.html index.html
semanage fcontext -a -t httpd_sys_content_t

"/usr/local/vhosts(/.*)?"
restorecon -Rv /usr/local/vhosts/
Create the configuration of new virtual host:
vim /etc/httpd/conf.d/vhosts.conf
<VirtualHost *:80>
ServerAdmin webmaster@vhosts1.example.com
ServerName vhosts1.example.com
DocumentRoot /usr/local/vhosts
CustomLog "logs/vhosts_access_log" combined
ErrorLog "logs/vhosts_error_log"
</VirtualHost>
<Directory "/usr/local/vhosts">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
=================================================================
=================================================================
=====================
23.
* Dynamic Webpage Configuration.

- configure website http://webappX.example.com:8961
on Server
with the documentroot /srv/www/dynamic/
- Site should executes webapp.wsgi.
- The Web application is available on
http://classroom.example.com/webapp.wsgi
- Content of the script should not be modified.
yum install -y mod_wsgi
mkdir –p /srv/www/dynamic/
cd /srv/www/dynamic/
wget http://classroom.example.com/pub/webapp.wsgi
restorecon –Rv /srv/www/dynamic/
vim /etc/httpd/conf/httpd.conf
Listen 8961
vim /etc/httpd/conf.d/wsgi1.conf
<VirtualHost *:8961>
ServerAdmin webmaster@wsgi1.example.com
ServerName wsgi1.example.com
DocumentRoot /var/www/scripts # We don’t need it,only testing
WSGIScriptAlias / /var/www/scripts/webapp.wsgi
CustomLog "logs/wsgi_access_log" combined
ErrorLog "logs/wsgi_error_log"
</VirtualHost>
<Directory "/var/www/scripts">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
firewall-cmd --permanent --add-port=8961/tcp

firewall-cmd --reload
semanage port -a -t http_port_t -p tcp 8961
systemctl status httpd
Verification from Server2:

yum install -y elinks
links --dump http://wsgi1.example.com:8961
Should present with the desired page
=================================================================
=================================================================
=====================
===========================================END===================
=END=============================================================
==================

Answers For Rhce

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Answers For Rhce

Enviado por

Direitos autorais:

Formatos disponíveis

2

To know if Firewalld is running, type

To check the active and default zone

[root@server3 Desktop]# vim /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.

[root@server3 Desktop]# reboot after this reboot your

[root@server3 yum.repos.d]# yum repolist

[root@server3 yum.repos.d]# rpm -qa openssh*

[root@server3 yum.repos.d]# systemctl status sshd.service

[root@server3 yum.repos.d]# firewall-cmd --permanent --add-rich-

[root@server3 yum.repos.d]# firewall-cmd --reload

systemctl enable sshd

4. Configure port forwarding.

Check if firewall is installed.

[root@server3 yum.repos.d]# rpm -qa firewall*

[root@server3 yum.repos.d]# firewall-cmd --permanent --add-rich-

[root@server3 yum.repos.d]# firewall-cmd --reload

[root@server3 yum.repos.d]# ssh desktop3

Just check how ot cross verify if its working

ssh server2.example.com -P 5243 execute this on desktop ,

[root@server3 yum.repos.d]# cd /usr/bin/

[root@server3 bin]# nmcli connection modify "System eth0"

[root@server3 bin]# ssh desktop3

[root@desktop3 ~]# logout

we configured for eno1 in mock and its working fine

[root@server3 bin]# nmcli connection add con-name team0-port1

[root@server3 bin]# nmcli connection up team0

teamdctl team0 state

Take the Backup of main.cf

[root@server3 Desktop]# rpm -qa postfix

Jun 08 04:42:58 localhost systemd[1]: Starting Postfix Mail

[root@server3 Desktop]# postconf "myorigin=example.com"

[root@server3 Desktop]# cat /etc/postfix/main.cf

# LOCAL PATHNAME INFORMATION

# The command_directory parameter specifies the location of all

# The daemon_directory parameter specifies the location of all

# The data_directory parameter specifies the location of Postfix-

# QUEUE AND PROCESS OWNERSHIP

# The default_privs parameter specifies the default rights used

# INTERNET HOST AND DOMAIN NAMES

# The mydomain parameter specifies the local internet domain

# The inet_interfaces parameter specifies the network interface

# Enable IPv4, and IPv6 if supported

# The proxy_interfaces parameter specifies the network interface

# The mydestination parameter specifies the list of domains that

# REJECTING MAIL FOR UNKNOWN LOCAL USERS

# The unknown_local_recipient_reject_code specifies the SMTP

# TRUST AND RELAY CONTROL

# The mynetworks parameter specifies the list of "trusted" SMTP

# Alternatively, you can specify the mynetworks list by hand, in

# The relay_domains parameter restricts what destinations this

# The relayhost parameter specifies the default host to send mail

# REJECTING UNKNOWN RELAY USERS

# INPUT RATE CONTROL

# ADDRESS REDIRECTION (VIRTUAL DOMAIN)

# "USER HAS MOVED" BOUNCE MESSAGES

# The alias_database parameter specifies the alias database(s)

# ADDRESS EXTENSIONS (e.g., user+foo)

# The mail_spool_directory parameter specifies the directory

# The mailbox_command parameter specifies the optional external

# The mailbox_transport specifies the optional transport in

# If using the cyrus-imapd IMAP server deliver local mail to the

# The fallback_transport specifies the optional transport in